0

I'm building a custom where clause for a model, and I wanted to know if the way I'm doing it is a secure way against sql injection attacks. This is my method:

def self.search(search)
  if search
    conditions = []
    conditions << [ 'name like ?', search[:name] ] unless search[:name].blank?
    conditions << [ 'product_type_id = ?', search[:product_type_id] ] unless search[:product_type_id].blank?

    conditions = ( conditions.empty? ? nil : [conditions.transpose.first.join(' and '), *conditions.transpose.last] )
    where(conditions)
  else
    scoped
  end
end

What do yo think? Thanks in advance!

Improve this question

1 Answer 1

Reset to default
1

Yes. This is secure way against sql injection attacks.

Following is the example where it is not safe

conditions << [ "name like  #{search[:name]}" ]
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.