Amrinder Singh
Reputation: 5492
Unable to prevent query from SQL Injection in Rails
I am working on a Rails project and using Brakeman as a tool for debugging. I have used a query to get data from table, but during Brakeman's test it states there is Sql Injection Possibility in the query.
Here is my query:
Applicant.all.where("profile_id=#{current_user.profile.id}").first
But I don't know what's the issue with this query, if it is not secured then how can I prevent it from SQL injections?
Upvotes: 1
Views: 183
Answers (2)
Vishal G
Reputation: 1531
USE this according to rails guide right way to do this
Applicant.where('profile_id = ?', current_user.profile.id).first
OR
Applicant.where(profile_id: current_user.profile.id).first
OR
Applicant.find_by_profile_id(current_user.profile.id)
OR
Applicant.find_by(profile_id: current_user.profile.id)
Upvotes: 4
siegy22
Reputation: 4413
I think the thing that you're looking for is:
Applicant.find_by(profile_id: current_user.profile.id)
When you read this code it's easier to understand what you're doing.
Upvotes: 0
Related Questions
- Rails 5 SQL Injection
- Rails - how to protect against sql injection for a postgres find_by_sql query?
- SQL injections in Rails 4 issue
- Avoiding Potential SQL Injection
- SQL Injection in Rails
- Rails brakeman warning of sql injection
- Rails preventing SQL injections
- Is SQL Injection possible here?
- Ensure my SQL is not injected receiving array of values
- Rails Brakeman SQL injection warning when using Arel syntax