Escaping SQL?

In my case (data analysis) using #find* is far not enough.

I need to fill complex SQL statements with form params.
Then I use ActiveRecord::Base.connection.execute()

How to sanitize parameters to prevent injection?

Thanks in advance!

(P.S.: I use MySQL)

Qertoip wrote:

How to sanitize parameters to prevent injection?

Found: Mysql.escape_string( potentialy_evil_data )

ActiveRecord uses this method:

ActiveRecord::Base.connection.quote( string )

This should work no matter which database you’re using.

Snow Man wrote:

ActiveRecord uses this method:

ActiveRecord::Base.connection.quote( string )

This should work no matter which database you’re using.

Thanks for your response. Accidently I came across even better solution:

ActiveRecord::Base#sanitize_sql( array_like_in_find_condition )

Docs: http://tinyurl.com/y64gpx

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs