user827107
Reputation: 51
Insert delayed and prevention of sql injection
Previously I used
Model.create()
to insert a row, now, I want to use DELAYED option in Mysql.
But, if I write
ActiveRecord::Base.connection.execute("INSERT DELAYED INTO `TABLE` (`row`) VALUES (#{params[:id]})")
so I get sql injection. How to prevent it?
Upvotes: 0
Views: 226
Answers (1)
Dogbert
Reputation: 222428
Use connection.quote
id = ActiveRecord::Base.connection.quote(params[:id])
ActiveRecord::Base.connection.execute("INSERT DELAYED INTO `TABLE` (`row`) VALUES (#{id})")
Upvotes: 2
Related Questions
- Insert delayed in rails
- MySQL "INSERT" and SQL injection
- Rails preventing SQL injections
- MySQL Injection prevention
- Protecting against sql injection using activerecord
- How do I avoid sql injections?
- Prevention of SQL injection via ruby script
- Protecting against SQL injection in Rails
- Problem with MYSQL (INSERT)
- what is the best way to prevent sql injection in mysql