I’m developing a search functionality (as part of a RoR-App) and I was
wonderinger: Is there a way to sanitize column-names for security?
For values, there are prepared statements like:
Address.find(:all, :conditions => [‘last_name LIKE ?’,“Luehr” ])
But for column-names, it doesn’t work:
Address.find(:all, :conditions => [’? LIKE ?’,“last_name”,“Luehr” ])
SELECT * FROM
addresses WHERE (‘last_name’ LIKE ‘Luehr’)
(last_name is uses as a string here)
I looked for escaping methods but I just got DBMS specfic ones like
Do you know a generic escaping method?
Thanks in advance,