Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Ruby on Rails: How to sanitize a string for SQL when not using find?

Tags:

escaping

ruby-on-rails

sanitize

tsvector

I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible, however, if that is the only way I would also appreciate if anyone can point me in the right direction to a regex that is unlikely to be missing anything. There are a number of methods in Rails that can allow you to enter in native SQL commands, how do people escape user input for those?

The question I'm asking is a broad one, but in my particular case, I'm working with a column in my Postgres database that Rails does not natively understand as far as I know, the tsvector, which holds plain text search information. Rails is able to write and read from it as if it's a string, however, unlike a string, it doesn't seem to be automatically escaping it when I do things like vector= inside the model.

For example, when I do model.name='::', where name is a string, it works fine. When I do model.vector='::' it errors out:

ActiveRecord::StatementInvalid: PGError: ERROR:  syntax error in tsvector: "::"
"vectors" = E'::' WHERE "id" = 1

This seems to be a problem caused by lack of escaping of the semicolons, and I can manually set the vector='::' fine.

I also had the bright idea, maybe I can just call something like:

ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::"

However, this syntax doesn't work, because the raw SQL commands don't have access to find's method of escaping and inputting strings by using the ? mark.

This strikes me as the same problem as calling connection.execute with any type of user input, as it all boils down to sanitizing the strings, but I can't seem to find any way to manually call Rails' SQL string sanitization methods. Can anyone provide any advice?

like image 437
William Jones Avatar asked Mar 23 '10 05:03

William Jones

1 Answers

Add this method to your model:

class Media < ActiveRecord::Base
  def self.execute_sql(*sql_array)     
    connection.execute(send(:sanitize_sql_array, sql_array))
  end
end

Now you can execute any SQL such as:

Media.execute_sql('UPDATE medias SET vectors = ? WHERE id = 1', '::')

Reference

1) sanitize_sql_array

like image 116
Harish Shetty Avatar answered Sep 20 '22 12:09

Harish Shetty
Sign in to Comment

Related questions

Rails - Where should I calculate derived attributes?
Tests say no routes match, but they work in browser
Should I use "rake spec" or "rspec" (can't get "rake spec" to work)?
Amazon Linux stack installing Phusion Passenger
validation and error-handling for service objects
using simple_form with bootstrap 3
Why is :memory_store cache faster than :dalli_store for memcached? Should I just stick with :memory_store?
Turbolinks with carrierwave images as CSS background-image
Active Model Serializers: Adding extra information outside root in ArraySerializer
How to run custom rake task via capistrano 3?
Date/Time comparison in ruby
Getting ng-token-auth to work with devise_token_auth
ROR pass params to modal
How to Firebase Auth with Rails?
Where should I place my middleware file for Rails 5.1?
Validation of objects inside array of jsonb objects with RubyOnRails
Rails Query group and pluck to Return Array of IDs grouped by another attribute?
Rails - Rubocop - Begin + Rescue syntax
Rails' collection_select helper method and the "Create item" option at the end
Find average date from collection of dates (Ruby)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!