rails 3 activerecord order – what is the proper sql injection work around?

by

Ryan Bates’ method:

in your controller:

def index
  @users = User.order(sort_by + " " + direction)
end

private
  def sort_by
    %w{email name}.include?(params[:sort_by]) ? params[:sort_by] : 'name'
  end

  def direction
    %w{asc desc}.include?(params[:direction]) ? params[:direction] : 'asc'
  end

Essentially you’re making a whitelist, but it’s easy to do and insusceptible to injection.

More Related Contents:

  1. Rails 3.1: Engine vs. Mountable App
  2. rails – “WARNING: Can’t verify CSRF token authenticity” for json devise requests
  3. rails error, couldn’t parse YAML
  4. Rails – Could not find a JavaScript runtime?
  5. Share database between 2 apps in Heroku
  6. Undefined method ‘task’ using Rake 0.9.0
  7. How to empty a Heroku database
  8. Stubbing authentication in request spec
  9. Disable HTML escaping in erb templates
  10. Adding a column to an existing table in a Rails migration
  11. rmagick gem install “Can’t find Magick-config”
  12. Thin web server: `start_tcp_server’: no acceptor (RuntimeError) after git branch checkout
  13. Can we call a Controller’s method from a view (as we call from helper ideally)?
  14. Rails Engine – Gems dependencies, how to load them into the application?
  15. Rails 3 library not loading until require
  16. using Liquid variables inside of a liquid tag call
  17. Rails naming convention for join table
  18. skip certain validation method in Model
  19. HABTM Polymorphic Relationship
  20. Rails 3 render action from another controller
  21. Error “…cannot load such file — mysql2/2.0/mysql2 (LoadError)”. On Windows XP with Ruby 2.0.0
  22. Rails: FATAL – Peer authentication failed for user (PG::Error)
  23. How to rename rails 4 app?
  24. Rails 3 – how do I avoid database altogether?
  25. How to make Devise redirect after confirmation
  26. rails:3 Devise signup Filter chain halted as :require_no_authentication rendered or redirected
  27. Rails 3 – upload files to public directory
  28. ActiveRecord Find All not sorting by ID?
  29. Character encoding issue exporting rails data to CSV
  30. Default_url in Paperclip Broke with Asset Pipeline Upgrade

Leave a Comment