DEVHIDE
Login Or Sign up

Why is an apostrophe appearing as ' in Ruby on Rails and is this a sign of a security issue?

6.7k Views Asked by At

I'm new to Ruby on Rails and I'm using a form_helper to create and update records. In the form below, I'm collecting information to save data for maps that users can create. The :name field is the name that user gives to a map. It's saved to a MySQL table into a field that is varchar(255).

If I name a map "John's Map", it appears in both the database and in the view as 

    John's Map

How can I prevent this from happening, and is my code susceptible to SQL injection with this approach?

I've seen some responses related to Python and PHP, but I wasn't sure about Rails. I'm using Virtualmin to create tables, so any responses that let me address the issue within Virtualmin would be much appreciated. Thanks!

From View

    <% form_for @newsavedmap, :html=>{:id=>'createaMap'} do |f| %>
    <%= f.error_messages %>

    <% if params[:newsavedmap_id] %>
<%= f.text_field :name, {:id=>"savemap_name", :size=>30, :value=> @newsavedmap.name }%></p>
    <% else %>
<%= f.text_field :name, {:id=>"savemap_name", :size=>30, :value=>"New Map"}%></p>
    <% end %>

Database Table Details

    DROP TABLE IF EXISTS `newsavedmaps`;
    /*!40101 SET @saved_cs_client     = @@character_set_client */;
    /*!40101 SET character_set_client = utf8 */;
    CREATE TABLE `newsavedmaps` (
    FIELDSAREALLLISTEDHERE
    `name` varchar(255) DEFAULT NULL,
    ) ENGINE=InnoDB AUTO_INCREMENT=159 DEFAULT CHARSET=utf8;
    /*!40101 SET character_set_client = @saved_cs_client */;

Other tables in the database display the apostrophe. For example, I have another form that looks like the below, and when a user enters a name with an apostrophe, the apostrophe appears as an apostrophe in the table.

    <form id="createitem" action="/saveditems" method="post">
    <label for="saveditem_name">Item Title</label>
    <%= text_field :saveditem, :name %>

That table's structure:

    DROP TABLE IF EXISTS `saveditems`;
    /*!40101 SET @saved_cs_client     = @@character_set_client */;
    /*!40101 SET character_set_client = utf8 */;
    CREATE TABLE `saveditems` (
    FIELDSAREALLLISTEDHERE
    `name` varchar(255) NOT NULL, 
    ) ENGINE=MyISAM AUTO_INCREMENT=8418 DEFAULT CHARSET=latin1;
    /*!40101 SET character_set_client = @saved_cs_client */;

Edit 1

I used ALTER TABLE newsavedmaps CONVERT TO CHARACTER SET latin1; and my newsavedmaps table now looks like this:

    DROP TABLE IF EXISTS `newsavedmaps`;
    /*!40101 SET @saved_cs_client     = @@character_set_client */;
    /*!40101 SET character_set_client = utf8 */;
    CREATE TABLE `newsavedmaps` (
    FIELDS ALL LISTED HERE
    ) ENGINE=InnoDB AUTO_INCREMENT=248 DEFAULT CHARSET=latin1;
    /*!40101 SET character_set_client = @saved_cs_client */;

The apostrophes now appear correctly in the database, but they still show up in the view as strange characters. Any ideas? Could this have anything to do with this: https://github.com/rails/rails/issues/9108

ruby-on-rails rails-activerecord form-helpers
Original Q&A
0

There are 0 best solutions below

Related Questions in RUBY-ON-RAILS

Related Questions in RAILS-ACTIVERECORD

Related Questions in FORM-HELPERS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.