I need to sanitize an input query text field but sanitize() don''t give
me back a string acceptable by my SQL call
i am writing
conditions << "users.description LIKE %#{sanitize(query_text)}%"
unless
description.blank?
so
error.. why ? : query_text = ''out'' =>
sanitize(query_text)
returns " ''out'' "
if I don''t use sanitize, the SQL call is correct
conditions << "users.description LIKE %#{query_text}%" unless
description.blank?
so
conditions => ["users. description LIKE %out%"]
How should I use sanitize to secure this text field input ?
thanks for your help
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---
Sanitize is a (poor) **HTML** sanitizing function. Use instead: conditions << ["users.description LIKE ?", "%"+query_text+"%"] If you do that, Rails will sanitize your query! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---