Forum: Ruby on Rails General query using ActiveRecord.

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6dc185130e0ec5c84e165b265c141f38?d=identicon&s=25 christer.nilsson (Guest)
on 2005-11-12 21:52
(Received via mailing list)
Problem: Is the following approach SQL injection safe?

I have five filter fields and would like to be able to ask 2**5 = 32
different WHERE clauses with LIKE conditions.

If it is safe, can it be improved or simplified?

...

cond = ""
cond += AddCond("flight like", "%", @report.flight, "%")
cond += AddCond("description like", "%", @report.description, "%")
cond += AddCond("users.name <http://users.name> like", "%",
@report.pilot,
"%")
cond += AddCond("flightdate >=", "", @report.fromdate, "")
cond += AddCond("flightdate <=", "", @report.todate, "")

if cond=="" then
@reports = Report.find(:all)
else
@reports = Report.find(:all,
:conditions => "1=1" + cond,
:joins => "INNER JOIN Users ON Reports.user_id = Users.id
<http://Users.id>
")
end

...

def AddCond(query, prefix, value, suffix)
if value.nil? then
""
elsif value == "" then
""
else
" and " + query + " " + Report.quote(prefix + value + suffix)
end
end
This topic is locked and can not be replied to.