qertoip
1
In my case (data analysis) using #find* is far not enough.
I need to fill complex SQL statements with form params.
Then I use ActiveRecord::Base.connection.execute()
How to sanitize parameters to prevent injection?
Thanks in advance!
(P.S.: I use MySQL)
Qertoip wrote:
How to sanitize parameters to prevent injection?
Found: Mysql.escape_string( potentialy_evil_data )
ActiveRecord uses this method:
ActiveRecord::Base.connection.quote( string )
This should work no matter which database you’re using.
Snow Man wrote:
ActiveRecord uses this method:
ActiveRecord::Base.connection.quote( string )
This should work no matter which database you’re using.
Thanks for your response. Accidently I came across even better solution:
ActiveRecord::Base#sanitize_sql( array_like_in_find_condition )
Docs: ActiveRecord::Base