Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails, how to sanitize SQL in find_by_sql

Tags:

ruby-on-rails

ruby-on-rails-3

activerecord

find-by-sql

Is there a way to sanitize sql in rails method find_by_sql?

I've tried this solution: Ruby on Rails: How to sanitize a string for SQL when not using find?

But it fails at

Model.execute_sql("Update users set active = 0 where id = 2")

It throws an error, but sql code is executed and the user with ID 2 now has a disabled account.

Simple find_by_sql also does not work:

Model.find_by_sql("UPDATE user set active = 0 where id = 1")
# => code executed, user with id 1 have now ban

Edit:

Well my client requested to make that function (select by sql) in admin panel to make some complex query(joins, special conditions etc). So I really want to find_by_sql that.

Second Edit:

I want to achieve that 'evil' SQL code won't be executed.

In admin panel you can type query -> Update users set admin = true where id = 232 and I want to block any UPDATE / DROP / ALTER SQL command. Just want to know, that here you can ONLY execute SELECT.

After some attempts I conclude sanitize_sql_array unfortunatelly don't do that.

Is there a way to do that in Rails??

Sorry for the confusion..

like image 973
nothing-special-here Avatar asked Aug 22 '11 09:08

nothing-special-here

3 Answers

Try this: 

connect = ActiveRecord::Base.connection();
connect.execute(ActiveRecord::Base.send(:sanitize_sql_array, "your string"))

You can save it in variable and use for your purposes.

like image 108
bor1s Avatar answered Nov 17 '22 05:11

bor1s

I made a little snippet for this that you can put in initializers.

class ActiveRecord::Base  
  def self.escape_sql(array)
    self.send(:sanitize_sql_array, array)
  end
end

Right now you can escape your query with this: 

query = User.escape_sql(["Update users set active = ? where id = ?", true, params[:id]])

And you can call the query any way you like:

users = User.find_by_sql(query)
like image 20
Michael Koper Avatar answered Nov 17 '22 04:11

Michael Koper

Slightly more general-purpose:

class ActiveRecord::Base  
  def self.escape_sql(clause, *rest)
    self.send(:sanitize_sql_array, rest.empty? ? clause : ([clause] + rest))
  end
end

This one lets you call it just like you'd type in a where clause, without extra brackets, and using either array-style ? or hash-style interpolations.

like image 8
Jay Levitt Avatar answered Nov 17 '22 04:11

Jay Levitt
Sign in to Comment

Related questions

button_to without submit
skipping email confirmation for omniauth users using devise
Using regex in Ruby if condition
In postgresql, what's the difference a "database" and a "relation"? ('error relation x does not exist', 'error database x already exists')
rails nokogiri no such file or directory
Name is already used or reserved by Ruby on Rails?
rails console fails with `Switch to inspect mode` in windows
Rails devise: user_signed_in? not working
Converting existing password hash to Devise
Rails respond_with acting different in index and create method
Dynamically get Object's attribute
Rails redirect_to with params
Rails: Ensure only one boolean field is set to true at a time
Is it possible to use "number_to_currency" inside a controller?
rails 4.1 can't deploy via capistrano 3
ChaiJS expect constructor to throw error
How to construct URI with query arguments from hash in Ruby
How can I check if user is signed in with rails devise?
Error while trying to load the gem 'devise. ActiveSupport: Duration can't be coerced into Integer
flash.delete(:notice) not working in Rails 3.1 RC?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!