Reputation:
Sanitizing data at active record
I want to sanitize the data coming from my form in ActiveRecord. Especially the apostrophe before its actually included into the SQL query. I want it to be something raghu'\s if raghu's is been inputed. I have already tried using:
sanitize_sql_arraysanitize_sql_for_assignmentsanitize_sql_for_conditionssanitize_sql_hash_for_assignmentsanitize_sql_hash_for_conditions
But none of these seem to escape the apostrophe there by failing my SQL query.
Upvotes: 0
Views: 1769
Answers (2)
Reputation: 654
Rails will handle a lot of the santizing for you if you use the following format for performing finds. It'll run the necessary sub methods to ensure that nothing potentially destructive is inserted into the database. Not sure about the single inverted comma, but it's worth a shot.
Model.find(:all, :condition => ["text_value = ?", params[:form_input])
Upvotes: 2
Reputation: 2449
You might want to have a look at this thread - Strip & Sanitize BEFORE saving data from the Ruby Forum - I haven't tried any of the solutions mentioned but it might get you going in the right direction
Upvotes: 0
Related Questions
- Best way to go about sanitizing user input in rails
- Rails sanitize user input in active record query
- Sanitize parameters in model before save in Ruby on Rails
- Rails sanitizing user input
- How best to sanitize fields in ruby on rails
- How create a module that sanitize a given model column?
- Sanitize for all fields
- Sanitizing User Input with Ruby on Rails
- How to sanitize data (remove html tags) before saving a record?
- How to sanitize an object obtained with belongs_to in rails 3