I have a query I am mapping to a Struct that takes two parameters. What
is
the proper method for escaping the parameters to avoid sql injection
issues
with sqlite3, when using ActiveRecord::Base.connection.select_all? I
have
tried using ? but that does not seem to work at all I get an empty
array.
Simply sticking the variable into the string with #{} yields the
expected
results.
On Tuesday, May 24, 2011 2:43:52 PM UTC-6, Kevin wrote:
I have a query I am mapping to a Struct that takes two parameters. What is
the proper method for escaping the parameters to avoid sql injection issues
with sqlite3, when using ActiveRecord::Base.connection.select_all? I have
tried using ? but that does not seem to work at all I get an empty array.
Simply sticking the variable into the string with #{} yields the expected
results.
I think you can directly use the #quote method (from the
ActiveRecord::ConnectionAdapters::Quoting module that’s mixed into your
connection).
For example:
untrusted_user_input = “B%”
c = ActiveRecord::Base.connection
c.select_all “SELECT * FROM your_mom WHERE hair_color LIKE
#{c.quote(untrusted_user_input)}”
All the normal AR find stuff is unavailable if you’re determined to
directly
use #select_all on your connection.
Hope that helps.
Thanks for the suggestion I will try it and report back.