ruby on rails prepared statement for oracle view/function

Question

I have the following code which executes an oracle view as follows:

def run_query
    connection.exec_query(
      "SELECT * FROM TABLE(FN_REQRESP(#{type_param},
                                      #{search_type_param},
                                      #{tid_param},
                                      #{last_param},
                                      #{key_param},
                                      #{tran_id_param},
                                      #{num_param},
                                      #{start_date_param},
                                      #{end_date_param}))")
end

The output of the above query is as follows:

SELECT * FROM TABLE(FN_REQRESP('ALL',
 'ALL_TRAN',
 '100007',
 '',
 '',
 '',
 '',
 TO_DATE('27-January-2017','dd-MON-yy'),
 TO_DATE('31-January-2017','dd-MON-yy'))) 

The problem is that above query has a SQL injection vulnerability.

So, i tried to add a prepare statement as follows:

 connection.exec_query('SELECT * FROM TABLE(FN_REQRESP(?,?,?,?,?,?,?,?,?))','myquery',[type_param,search_type_param,tid_param,last_param,key_param,tran_id_param,num_param,start_date_param,end_date_param])

I get the following error now:

NoMethodError: undefined method `type' for "'ALL'":String: SELECT * FROM TABLE(FN_REQRESP(?,?,?,?,?,?,?,?,?))

It's the single quotes that messing it up I beleive. Is there a way to overcome this?

EDIT: I tried NDN's answer and the error below:

OCIError: ORA-00907: missing right parenthesis: SELECT * FROM TABLE(FN_REQRESP('\'ALL\'',
                                      '\'ALL_TRAN\'',
                                      '\'100007\'',
                                      '\'\'',
                                      '\'\'',
                                      '\'\'',
                                      '\'\'',
                                      'TO_DATE(\'01-February-2017\',\'dd-MON-yy\')',
                                      'TO_DATE(\'10-February-2017\',\'dd-MON-yy\')'))

Answer 1

Looking at the source, binds gets cast in some magical way and you have to pass a named prepare: true argument as well.

It also used to work differently in older versions.

---

To save yourself the trouble, you can simply use #sanitize:

params = {
  type:        type_param,
  search_type: search_type_param,
  tid:         tid_param,
  last:        last_param,
  key:         key_param,
  tran_id:     tran_id_param,
  num:         num_param,
  start_date:  start_date_param,
  end_date:    end_date_param,
}

params.each do |key, param|
  params[key] = ActiveRecord::Base.sanitize(param)
end

connection.exec_query(
  "SELECT * FROM TABLE(FN_REQRESP(#{params[:type]},
                                  #{params[:search_type]},
                                  #{params[:tid]},
                                  #{params[:last]},
                                  #{params[:key]},
                                  #{params[:tran_id]},
                                  #{params[:num]},
                                  #{params[:start_date]},
                                  #{params[:end_date]}))"
)