I'd like to use the following query for my Rails 4 application but am concerned about SQL injection attacks:
@persons = People.where("persons.name LIKE ?", "%#{params[:search]}%")
Can somebody show me the safe way to write the above statement? I've tried the following but am not sure if it is SQL-injection-proof:
search = "%" + params[:search] + "%"
@persons = People.where("persons.name LIKE ?", search)
Thanks!
Your examples are fine, as zishe said.
Whenever you use question marks to a method and pass another parameters as the search query, it sanitizes your query string.
It is dangerous when you manually do string concatenations to create your query, for example:
Project.where("name = '#{params[:name]}'")
Click here for more information
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With