Sanitize()

I need to sanitize an input query text field but sanitize() don’t give
me back a string acceptable by my SQL call

i am writing

conditions << “users.description LIKE %#{sanitize(query_text)}%” unless
description.blank?
so
error… why ? : query_text = ‘out’ => sanitize(query_text)
returns " ‘out’ "

if I don’t use sanitize, the SQL call is correct

conditions << “users.description LIKE %#{query_text}%” unless
description.blank?
so
conditions => [“users. description LIKE %out%”]

How should I use sanitize to secure this text field input ?

thanks for your help

Sanitize is a (poor) HTML sanitizing function.

Use instead:

conditions << [“users.description LIKE ?”, “%”+query_text+"%"]

If you do that, Rails will sanitize your query!