How to safely escape raw sql with connection.select_all

I have a query I am mapping to a Struct that takes two parameters. What
is
the proper method for escaping the parameters to avoid sql injection
issues
with sqlite3, when using ActiveRecord::Base.connection.select_all? I
have
tried using ? but that does not seem to work at all I get an empty
array.
Simply sticking the variable into the string with #{} yields the
expected
results.

On Tuesday, May 24, 2011 2:43:52 PM UTC-6, Kevin wrote:

I have a query I am mapping to a Struct that takes two parameters. What is
the proper method for escaping the parameters to avoid sql injection issues
with sqlite3, when using ActiveRecord::Base.connection.select_all? I have
tried using ? but that does not seem to work at all I get an empty array.
Simply sticking the variable into the string with #{} yields the expected
results.

I think you can directly use the #quote method (from the
ActiveRecord::ConnectionAdapters::Quoting module that’s mixed into your
connection).

For example:

untrusted_user_input = “B%”
c = ActiveRecord::Base.connection
c.select_all “SELECT * FROM your_mom WHERE hair_color LIKE
#{c.quote(untrusted_user_input)}”

All the normal AR find stuff is unavailable if you’re determined to
directly
use #select_all on your connection.

Hope that helps.

Thanks for the suggestion I will try it and report back.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs