Reputation: 11689
Build custom condition dynamically setting parameters and operators
I'm having hard times trying to understand how to do the following thing:
I have a javascript that helps me dinamically building a filtering query, then encode it and send it as a param to rails.
The filter is built in this way: myfilter = {"field": "birth_date", "comparison": "lt", "type": "date", "value": "2012-05-27"}}
So I'm building, for my find method, a hash of conditions dynamically set. The biggest problem is that I can be SQL-Injected even through field name of my query in this case. What do you suggest to build my find method?
I would like to do such a thing:
Client.where("? ? ?",myfilter['field'],myfield['comparison'].to_operator,myfield['value'])
But this is not valid. How can I achieve this keeping my query sanitized?
Upvotes: 0
Views: 162
Answers (1)
Reputation: 20320
All you are doing on the client end is describing the filter as in Name, Operator and Value. It's how you use them in the server end that could leave you open to an injection attack.
ColumnName can be checked against the columns in the query. operator against some sort of list of allowable values, or perhaps pass via an enum.
Values as usual.
Upvotes: 1
Related Questions
- Rails: Use sanitize_sql_for_conditions without model or db connection
- Rails Dynamic 'Where' clause
- Sanitizing SQL in Rails where conditions may be NULL
- Dynamic condition in ruby on rails
- Rails Generate Multiple Conditions Security Concern
- Rails: saving filter conditions on attributes and checking whether conditions pass?
- Writing conditionals in rails
- Building custom filter method in Rails/SQL
- ActiveRecord build dynamic query conditions
- Sanitize SQL in custom conditions