Mateusz Urbański
Reputation: 7862
Rails searching through array column and SQL injection
I have quick question. Is this code is vulnerable to SQL injection:
ActiveAdmin::SurveyPack.where("survey_schemas @> '{#{survey_schema}}'")
survey_schemas column is an array column in my rails app.
Upvotes: 0
Views: 113
Answers (2)
Nitin Srivastava
Reputation: 1424
Please make it simple.
ActiveAdmin::SurveyPack.where("survey_schemas @> ARRAY[?]", survey_schema)
or
ActiveAdmin::SurveyPack.where("survey_schemas = ARRAY[?]", survey_schema)
Happy coding.
Upvotes: 2
richfisher
Reputation: 951
short answer, yes.
from ActiveAdmin::SurveyPack.where("survey_schemas @> '{#{survey_schema}}'")
to ActiveAdmin::SurveyPack.where("survey_schemas @> '{?}'", survey_schema)
Upvotes: 1
Related Questions
- How to search psql array elements by index in rails
- Rails OR query with postgres array
- SQL Query Where Array is in Array Field
- Search In a column which stores an array
- Rails where clause when something is stored as array
- search a database where column = array
- How would I search for a model using an array in a .where?
- Find Record from Array Field In PG
- SQL query IN using Ruby array
- Rails 3 Searching through a string using an array