Reputation: 26212
Possible sql injection
I'm using squeel gem in my project, and I have code something like this :
def self.search(query)
return self.scoped if query.blank?
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%#{query}%"])}
end
My questions is this code vulnerable to SQL injection? And how do I fix it? I tried to do sanitize(query) but it just adds extra set of quotes and the SQL statement doesn't get generated appropriately
Upvotes: 3
Views: 125
Answers (1)
Reputation: 1294
UPDATED:
Squeel will automatically escape strings, so your query is fine and won't open you up to injection. See question about sql injection - Squeel - Github
OLD (INCORRECT) ANSWER: This is the active record version
Someone correct me if i'm wrong, but since you are passing in #{query} as a STRING and not an argument, then you are opening yourself up to injection. See the docs for passing in arguments
Using arguments will escape the 'query' STRING
Your query using arguments:
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%"+?+"%"], query)}
Upvotes: 1
Related Questions
- SQL Injection and ActiveRecord
- Rails SQL injection vulnerability
- Rails 5 SQL Injection
- Rails possible SQL injection error
- Rails: Still confused about SQL Injection
- SQL injections in Rails 4 issue
- SQL Injection in Rails
- Is this Ruby on Rails code vulnerable to SQL injection?
- Rails: Sql injection concern?
- SQL injection on Activerecord query