I need to sanitize an input query text field but sanitize() don''t give me back a string acceptable by my SQL call i am writing conditions << "users.description LIKE %#{sanitize(query_text)}%" unless description.blank? so error.. why ? : query_text = ''out'' => sanitize(query_text) returns " ''out'' " if I don''t use sanitize, the SQL call is correct conditions << "users.description LIKE %#{query_text}%" unless description.blank? so conditions => ["users. description LIKE %out%"] How should I use sanitize to secure this text field input ? thanks for your help -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Sanitize is a (poor) **HTML** sanitizing function. Use instead: conditions << ["users.description LIKE ?", "%"+query_text+"%"] If you do that, Rails will sanitize your query! -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---