On Tuesday, May 24, 2011 2:43:52 PM UTC-6, Kevin wrote:
>
> I have a query I am mapping to a Struct that takes two parameters. What is
> the proper method for escaping the parameters to avoid sql injection issues
> with sqlite3, when using ActiveRecord::Base.connection.select_all? I have
> tried using ? but that does not seem to work at all I get an empty array.
> Simply sticking the variable into the string with #{} yields the expected
> results.
>
I think you can directly use the #quote method (from the
ActiveRecord::ConnectionAdapters::Quoting module that's mixed into your
connection).
For example:
untrusted_user_input = "B%"
c = ActiveRecord::Base.connection
c.select_all "SELECT * FROM your_mom WHERE hair_color LIKE
#{c.quote(untrusted_user_input)}"
All the normal AR find stuff is unavailable if you're determined to directly
use #select_all on your connection.
Hope that helps.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
