I have a query I am mapping to a Struct that takes two parameters. What is
the proper method for escaping the parameters to avoid sql injection issues
with sqlite3, when using ActiveRecord::Base.connection.select_all? I have
tried using ? but that does not seem to work at all I get an empty array.
Simply sticking the variable into the string with #{} yields the expected
results.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Kendall Gifford
2011-May-24 22:42 UTC
Re: How to safely escape raw sql with connection.select_all
On Tuesday, May 24, 2011 2:43:52 PM UTC-6, Kevin wrote:> > I have a query I am mapping to a Struct that takes two parameters. What is > the proper method for escaping the parameters to avoid sql injection issues > with sqlite3, when using ActiveRecord::Base.connection.select_all? I have > tried using ? but that does not seem to work at all I get an empty array. > Simply sticking the variable into the string with #{} yields the expected > results. >I think you can directly use the #quote method (from the ActiveRecord::ConnectionAdapters::Quoting module that''s mixed into your connection). For example: untrusted_user_input = "B%" c = ActiveRecord::Base.connection c.select_all "SELECT * FROM your_mom WHERE hair_color LIKE #{c.quote(untrusted_user_input)}" All the normal AR find stuff is unavailable if you''re determined to directly use #select_all on your connection. Hope that helps. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Thanks for the suggestion I will try it and report back. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/YXZpYWczcnpPeHNK. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.