Comment by PH95VuimJjqBqy
2 years ago
This is a case of militancy.
If we're talking about a typed integer there is no chance of that turning into an sql injection attack.
If we're talking about a string, I'd probably insist on parameterizing it even if we completely own it just on the off chance that the future changes.
To draw an analogy, gun safety is important and everyone knows it. But I don't practice gun safety while watching television on my couch because the gun is locked away. I practice gun safety when I'm actually handling the thing that is dangerous.
And yes, I realize it being locked away is technically gun safety, it's an imperfect analogy, please roll with it.
Your analogy is not flawed, but your conclusion is.
It is a perfect analogy because you are practicing gun safety by locking the gun away. If someone that you are not expecting wanders into your home while you are sitting on the couch, such as a child, they will not suddenly have access to the firearm. This is exactly why you don't assume that you will never receive unsafe input in this situation.
and as you're sitting on that couch watching television you're also practicing car safety because you're not actively breaking any traffic laws.
IOW, you're free to make that claim and you're not wrong per se, but you're not right and it doesn't refute the point.
The equivalent analogy is that you didn't leave the car in neutral on the top of a hill.
The number one rule of firearm safety - Treat every firearm as if it were loaded.
And yet children shoot themselves or others all the time because a gun was not safely stored.
But I digress...
to be pedantic, just being "typed" is not enough these days with dynamically-typed server code.
I disagree with you, if it's typed it's safe. The issue is if it's untyped or the type isn't enforced (by the runtime, by the compiler, or by the code itself).
I understand your point, I'm just saying if it's actually typed, it's safe.
> If we're talking about a typed integer there is no chance of that turning into an sql injection attack.
Unless the database table switches to non-integer ids at some point.
Ruby is a dynamic language.