bigardone
Reputation: 174
Rails sql injection in custom "where" clause
I'm building a custom where clause for a model, and I wanted to know if the way I'm doing it is a secure way against sql injection attacks. This is my method:
def self.search(search)
if search
conditions = []
conditions << [ 'name like ?', search[:name] ] unless search[:name].blank?
conditions << [ 'product_type_id = ?', search[:product_type_id] ] unless search[:product_type_id].blank?
conditions = ( conditions.empty? ? nil : [conditions.transpose.first.join(' and '), *conditions.transpose.last] )
where(conditions)
else
scoped
end
end
What do yo think? Thanks in advance!
Upvotes: 0
Views: 434
Answers (1)
Salil
Reputation: 47482
Yes. This is secure way against sql injection attacks.
Following is the example where it is not safe
conditions << [ "name like #{search[:name]}" ]
Upvotes: 1
Related Questions
- Dynamic where clause in active record avoiding sql injection
- How to use wildcards in an active record where clause while protecting against sql injection
- SQL Injection and ActiveRecord
- Need to avoid SQL Injection in Rails3
- Rails SQL Injection safe SELECT fields
- SQL injection in Rails in Where Clause
- SQL Injection in Rails
- Rails SQL injection?
- SQL injection on Activerecord query
- ActiveRecord: SQL injection resistant wheres