JZ.
Reputation: 21877
Activerecord: Is this MySQL safe? If not how can I sanitize it?
I'm using the find_by_sql method, and I'm not sure if what I am doing is safe? If its not how can I sanitize my variables?
Table.find_by_sql("SELECT * FROM TABELS
WHERE table.`table_id` = '#{params[:table]}'
and insights.`created_at` >= '#{@stime}'
and insights.`created_at` <= '#{@etime}'
GROUP BY places.`id`
ORDER BY sum(insights.`checkins`) DESC").paginate(:page => params[:page], :per_page => Place.per_page)
Upvotes: 1
Views: 439
Answers (1)
Zabba
Reputation: 65467
Your SQL is currently not safe. Do this instead:
Table.find_by_sql(["SELECT * FROM TABLES
WHERE table.`table_id` = '?'
and insights.`created_at` >= '?'
and insights.`created_at` <= '?'
GROUP BY places.`id`
ORDER BY sum(insights.`checkins`) DESC",
params[:table],
@stime,
@etime]).
paginate(:page => params[:page], :per_page => Place.per_page)
Note that the param to find_by_sql is an array : the first element is the SQL string, the rest are the parameters, in order.
Upvotes: 5
Related Questions
- Is this vulnerable to sql injection or not?
- Rails sanitize user input in active record query
- sanitize_sql_array in Rails 4
- Rails, how to sanitize SQL in find_by_sql
- Rails ActiveRecord sanitize_sql replaces ? in string
- Should this be considered an SQL injection risk?
- Protecting against sql injection using activerecord
- Sanitize MySQL data in Ruby on Rails 2
- Rails 3 - Is this SQL safe?
- How to Sanitize the SQL in Rails?