CKinWoodstock
commented
11 years ago The -- is probably safe with the other metacharacters removed; however, to be safe, stripify will be updated to strip out -- (single - is safe and is something likely to appear in a comment string).
Also, ActiveRecord natively parameterizes it's internal queries; so long as query strings passed into it are parameterized as well, there is an additional layer of safety (even single ' gets escaped properly).
Whitelisting is difficult, as it would block characters which were otherwise safe when not combined into dangerous sequences.
Based on the user created stripify method, only the characters: ; ` " ' are removed. The SQLite database being used accepts -- for comments. To be safe you should also remove the - .
The best approach is to use a white list of acceptable characters instead of a blacklist of unwanted ones. Also no attempt is made to validate the type of data. For instance usernames are stored in the database yet do not have a maximum length defined nor checked.