Fix SQL Injection (Legacy & Modern) in Camping

Camping is a micro-framework that historically leverages ActiveRecord. While its footprint is small, the SQL injection vectors are classic. Legacy implementations often rely on manual string concatenation or interpolation within finders, opening the door to full database compromise. Modern Camping apps must leverage parameterized queries and built-in ORM protection to neutralize these threats.

The Vulnerable Pattern

module Blog::Controllers
  class View < R '/view/(.*)'
    def get(title)
      # CRITICAL: String interpolation in the conditions string
      # Attacker can pass: /view/nonexistent' OR '1'='1
      @post = Post.find(:first, :conditions => "title = '#{title}'")
      render :post
    end
  end
end

The Secure Implementation

The vulnerable snippet uses Ruby string interpolation (`#{title}`) to build a SQL query. This allows an attacker to break out of the string literal and append arbitrary SQL commands. The secure version utilizes ActiveRecord's built-in parameterization. By passing a Hash or an Array with a placeholder (`?`), the database driver ensures the input is properly escaped and treated as a literal value rather than executable code. In modern Camping development, direct string manipulation in queries is a hard fail; always use the ORM's abstraction layer for input handling.

module Blog::Controllers
  class View < R '/view/(.*)'
    def get(title)
      # SECURE: Using Hash-based finders (ActiveRecord 4+)
      @post = Post.find_by(title: title)
  # SECURE: Legacy Parameterized Query (ActiveRecord 3/Legacy)
  # @post = Post.find(:first, :conditions => ['title = ?', title])
  
  render :post
end
end
end