Menu
In a simple search like this:
find.where('name LIKE ?', "%#{search}%")
I understand that #{search} is just string interpolation. What do the % symbols do?
519
The SQL LIKE Operator There are two wildcards often used in conjunction with the LIKE operator: The percent sign (%) represents zero, one, or multiple characters. The underscore sign (_) represents one, single character.
It is a string. In ruby, you can define strings in may ways. Single or double quotes are the most common, %s is another. You can also define strings with any delimiter, as used in this script. For example %^Is also a string^ , or %$Also a string$ .
SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes. Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
The percent sign % is a wildcard in SQL that matches zero or more characters. Thus, if search is "hello", it would match strings in the database such as "hello", "hello world", "well hello world", etc.
Note that this is a part of SQL and is not specific to Rails/ActiveRecord. The queries it can be used with, and the precise behavior of LIKE, differ based on SQL dialect (MySQL, PostgreSQL, etc.).
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
