I’m writing a search function for my application, but I am unsure on how
to search for all results that contain my search string; here’s what
I’ve got:
and it works. However I’d like confirmation, that it is the correct
way, and that it is sql-injection safe
Hmm… I’d go for something like this instead: “:conditions => [ “title
ilike
%?%”, @params[:search] ]”.
Trying to fudge parts of the query into your parameter string isn’t too
neat. Not 100% sure my suggestion works, but they way you’re doing it shouldn’t work imho…
Trying to fudge parts of the query into your parameter string
isn’t too
neat. Not 100% sure my suggestion works, but they way you’re doing it shouldn’t work imho…
Well, I agree - but I do not see any other way of doing it !
/mich
Do it like this:
:conditions => [“title LIKE ?”, “%#{params[:search]}%”]
Hmm… I’d go for something like this instead: “:conditions => [ “title
ilike
%?%”, @params[:search] ]”.
That won’t work !
It is being parsed, like this:
[…] WHERE (title ilike %‘1720’% and […]
Trying to fudge parts of the query into your parameter string isn’t too
neat. Not 100% sure my suggestion works, but they way you’re doing it shouldn’t work imho…
Well, I agree - but I do not see any other way of doing it !
:conditions => [“title LIKE ?”, “%#{params[:search]}%”]
Muy nice !
I’m assuming this is sql-injection safe !
“abc#{some_variable}def” is basically another way to write “abc” +
some_variable.to_s + “def”. It’s plain ruby string handling, nothing sql
related.
Use the [querystring, *params] approach with ‘?’ as a placeholder for
unsafe
stuff, and active record should keep you safe from sql injection, yes.
Not sure what i think about wildcards not being escaped, but I figure
this
has it’s advantages as well…