joanwolk
Reputation: 1105
How to escape for MYSQL queries from Ruby on Rails?
When searching the MYSQL database for a Rails 2.3.14 app, I need to escape the search string appropriately so I can search for strings containing single-quotes (apostrophes). What's the best way to do this? I'm using the mysql gem, in case that matters.
Upvotes: 9
Views: 13796
Answers (3)
JJD
Reputation: 51834
Rails quotes strings as follows:
# Quotes a string, escaping any ' (single quote) and \ (backslash) characters.
def quote_string(s)
s.gsub(/\\/, '\&\&').gsub(/'/, "''") # ' (for ruby-mode)
end
Upvotes: 10
Angelo
Reputation: 492
You can use ActiveRecord's quote method (e.g. ActiveRecord::Base.connection.quote("string with ' apostrophe")), but ActiveRecord's query methods already escape your SQL for you. For example:
a = "string with ' apostrophe"
ModelName.where("field1 = ?", a)
will change "string with ' apostrophe" to "string with '' apostrophe"
Upvotes: 7
joanwolk
Reputation: 1105
When using the mysql gem, you gain the method Mysql.escape_string(). Use as follows:
search_terms = Mysql.escape_string("it's working!")
conditions = [ "table1.name LIKE '%#{search_terms}%'" ]
# use conditions for MYSQL query as appropriate
Upvotes: 8
Related Questions
- Escaping values in Rails (similar to mysql_real_escape_string())
- escaping query for SQL LIKE in rails
- how to escape a string before insert or update in Ruby
- Rails - escaping SQL params
- Escaping ':' and '?' in parameterized SQL queries in Rails
- Rails is escaping my query incorrectly
- Performing rails query with mysql with backslash in string
- Escaping strings in ActiveRecord where using prepared statements isn't possible
- Escape characters in MySQL, in Ruby
- How to escape string in Ruby to protect against SQL Injection? (No Rails)