In a simple search like this:
find.where('name LIKE ?', "%#{search}%")
I understand that #{search}
is just string interpolation. What do the %
symbols do?
The SQL LIKE Operator There are two wildcards often used in conjunction with the LIKE operator: The percent sign (%) represents zero, one, or multiple characters. The underscore sign (_) represents one, single character.
It is a string. In ruby, you can define strings in may ways. Single or double quotes are the most common, %s is another. You can also define strings with any delimiter, as used in this script. For example %^Is also a string^ , or %$Also a string$ .
SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes. Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
The percent sign %
is a wildcard in SQL that matches zero or more characters. Thus, if search
is "hello"
, it would match strings in the database such as "hello"
, "hello world"
, "well hello world"
, etc.
Note that this is a part of SQL and is not specific to Rails/ActiveRecord. The queries it can be used with, and the precise behavior of LIKE
, differ based on SQL dialect (MySQL, PostgreSQL, etc.).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With