18 comments

[ 2.6 ms ] story [ 51.1 ms ] thread
So Active Record is building its SQL from string concatenation, not using prepared statements with bind variables?
No, ActiveRecord uses bind variables. It uses prepared statements in some cases.
All ORMs build at least some of their SQL using string concatenation.

Prepared statements with bind variables only work when the SQL string is static and only the variables change - but ORMS are used to construct full SQL statements with custom select / while / join clauses etc.

No, you just have to use some intelligence in tracking your bind variables and bind values together instead of blindly bashing strings together, then at some distant location in the code guess & hope about the number of bind values used. I've got code that does it just fine.
No you can definitely use prepared statements with bind variables since you can dynamically name the bind variables. So if you have a statement where you don't know how many bind variables will go into the query you can give the bind variable a name and add a number at the end that you increment for each additional bind variable (e.g. @param + i for @param1, @param2, @param3, etc.).

Depending on how complex your query is it can get to be a bit of work but it's doable.

Yes, all ORM's build their SQL using string concatenation, BUT the good ORM's won't use string concatenation on user data, instead they will use bind parameters.

This way the query sent to the server looks like this:

  SELECT * FROM whatever WHERE email = :1 AND user_name = :2;
And then the parameters are passed to the database server separately to bind to the above placeholders.

This way the database server knows what is user provided data and what is part of the SQL, and no special quoting is required since the database server handles that internally. It's much safer in that SQL injection becomes impossible at that point.

That's not what OP was saying. That SQL string you just provided is static. At some point the ORM has to assemble that string.
OP said:

  > Prepared statements with bind variables only work when the SQL string is static and only the variables change
This is wrong.
I said "All ORMs build at least some of their SQL using string concatenation"

The "at least some" was meant to imply that they also use bind variables.

(comment deleted)
Looks like the Rails 3.2 update drags along a few other unrelated changes, although they appear to be fairly minor: https://github.com/rails/rails/compare/v3.2.18...v3.2.19

as compared to: https://github.com/rails/rails/compare/v4.1.2...v4.1.3 and https://github.com/rails/rails/compare/v4.0.6...v4.0.7

You should be able to see if you are vulnerable by running this query:

  select 
        cn.nspname as schema, 
        relname as table, 
        attname as column, 
        tn.nspname as type_schema, 
        typname as type_name 
    from pg_attribute a 
    inner join pg_class c on a.attrelid = c.oid 
    inner join pg_namespace cn on c.relnamespace = cn.oid 
    inner join pg_type t on a.atttypid = t.oid 
    inner join pg_namespace tn on t.typnamespace = tn.oid 
    where (t.typtype = 'r' or t.typname = 'bit' or t.typname = 'varbit');
FTA: Only applications which query against either bitstring or range types are vulnerable.
It's unfortunate that the wording of the email subject (and the current HN submission title) can make it sound like the problem is with PostgreSQL, when it's really a problem with Active Record's adapter for PostgreSQL.

PostgreSQL itself isn't responsible or affected, contrary to what the "Vulnerabilities Affecting PostgreSQL" phrasing suggests at a glance.