Safe ActiveRecord like query

by

To ensure that your query string gets properly sanitized, use the array or the hash query syntax to describe your conditions:

Foo.where("bar LIKE ?", "%#{query}%")

or:

Foo.where("bar LIKE :query", query: "%#{query}%")

If it is possible that the query might include the % character and you do not want to allow it (this depends on your usecase) then you need to sanitize query with sanitize_sql_like first:

Foo.where("bar LIKE ?", "%#{sanitize_sql_like(query)}%")
Foo.where("bar LIKE :query", query: "%#{sanitize_sql_like(query)}%")

More Related Contents:

  1. ActionController::UnknownFormat
  2. Why isn’t self always needed in ruby / rails / activerecord?
  3. Rails ‘parse_query’ error on server in brand new app
  4. Can’t output currency in ruby with money-gem [closed]
  5. Very Basic Ruby puts and gets
  6. What does the (unary) * operator do in this Ruby code?
  7. How to debug Ruby scripts [closed]
  8. Converting a nested hash into a flat hash
  9. How can I find which operating system my Ruby program is running on?
  10. Optional argument after splat argument
  11. ActiveRecord OR query Hash notation
  12. Gem installation error: You have to install development tools first (Windows)
  13. What does @@variable mean in Ruby?
  14. Pressing Ctrl + A in Selenium WebDriver
  15. You have already activated X, but your Gemfile requires Y
  16. How can I switch to ruby 1.9.3 installed using Homebrew?
  17. Rails ActiveRecord: Find All Users Except Current User
  18. How to avoid “cannot load such file — utils/popen” from homebrew on OSX
  19. Access variables programmatically by name in Ruby
  20. Confusion with Atomic Grouping – how it differs from the Grouping in regular expression of Ruby?
  21. Extract number from string in Ruby
  22. How to use “RVM –default” on MacOSX
  23. ‘||=’ operator in Ruby
  24. Store the day of the week and time?
  25. How to preserve request url with nginx proxy_pass
  26. When to use `require`, `load` or `autoload` in Ruby?
  27. Natural Language Processing in Ruby [closed]
  28. How to turn a string into a method call? [duplicate]
  29. What is the behavior when using both positional and keyword arguments in Ruby?
  30. Combine two Arrays into Hash

Leave a Comment