CODEWITHSUNDEEP
rubyruby-on-rails-3.2apostrophe
Metal
Metal

Reputation: 205

Escaping single quotes in text fields in Ruby on rails 3

I am stuck at an issue where my application should be able to add users to the database with an apostrophe, e.g:

  1. firstname.l'[email protected] or fir'[email protected]

  2. u'ser.name or user.n'ame

Apostrophe can exist anywhere in the name of the user.

There are two ways to add a user: either by email or by username.

Is it possible to add a user in the above format? Is there any method that can ignore the apostrophe from text/input fields in ERB or anywhere else in the app?

I am updating this post with the error message :

Processing by UsersController#create as HTML
  Parameters: {"utf8"=>"â", "authenticity_token"=>"Pnn4bO6ECFSmFQTM38ecb2F11UacNbeB5MRBPGVbY2s=", "user"=>{"email"=>"", "fullname_login"=>"a'pple.mac", "password"=>"[FILTERED]"}, "commit"=>"Create user"}
Completed 500 Internal Server Error in 58ms

ActiveRecord::StatementInvalid (PG::Error: ERROR:  syntax error at or near "pple"
LINE 1: ...FROM "users"  WHERE (users.fullname_login ILIKE 'a'pple.mac')...
                                                             ^
: SELECT  "users".* FROM "users"  WHERE (users.fullname_login ILIKE 'a'pple.mac') LIMIT 1):
  app/models/user.rb:38:in `case_insensitive_find_by_fullname_login'
  app/controllers/users_controller.rb:26:in `create'

Upvotes: 1

Views: 702

Answers (1)

mdesantis
mdesantis

Reputation: 8517

Looking at your error, I guess you're searching for the fullname_login in a similar way:

User.where("fullname_login ILIKE '#{params[:fullname_login]}'")

THIS IS VERY BAD because it can lead to SQL injections. Instead of that form you should pass an array or an hash, so Rails can escape SQL values automatically:

User.where(["fullname_login ILIKE ?", params[:fullname_login]])

Upvotes: 3

Related Questions