MiningSam
Reputation: 603
Rails preventing SQL injections
I am worried that my solution won't be very secure. I am using Rails 4.1.6
Currently I use:
@x = params[:myquery]
Monkey.where("monkeys_name LIKE ?", "%#{@x}%")
I want to prevent SQL injections. How do I discover malicious things inside @x ? Are there helpers? Or does Rails something to prevent it underneath the hood?
Thanks!
Upvotes: 0
Views: 61
Answers (1)
Serdar Dogruyol
Reputation: 5157
In the Rails Security Guide it says that
Instead of passing a string to the conditions option, you can pass an array to sanitize tainted strings.
Monkey.where("monkeys_name LIKE ?", "%#{@x}%")
So your string will be sanitized by default and Rails will do the heavy lifting for you in this case.
You can read the detailed guide here especially 7.2.4 is what you looking for.
http://edgeguides.rubyonrails.org/security.html#sql-injection
Upvotes: 3
Related Questions
- Preventing SQL Injection/Good Ruby method
- How to properly protect SQL injection in rails controller
- Avoiding Potential SQL Injection
- Protecting against sql injection using activerecord
- Rails: Sql injection concern?
- Rails SQL injection?
- Rails, SQL Injection, and Params
- Sql Injection Prevention and Converting Data in Rails
- Protecting against SQL injection in Rails
- sql injection prevention for create method in rails controller