Rails searching through array column and SQL injection

Question

I have quick question. Is this code is vulnerable to SQL injection:

ActiveAdmin::SurveyPack.where("survey_schemas @> '{#{survey_schema}}'")

survey_schemas column is an array column in my rails app.

Nitin Srivastava · Accepted Answer · 2015-12-03 07:38:46Z

2

Please make it simple.

    ActiveAdmin::SurveyPack.where("survey_schemas @> ARRAY[?]", survey_schema)

or

    ActiveAdmin::SurveyPack.where("survey_schemas = ARRAY[?]", survey_schema)

Happy coding.

answered Dec 3, 2015 at 7:38

Nitin Srivastava

1,4247 silver badges12 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

richfisher · Accepted Answer · 2015-12-03 07:10:50Z

1

short answer, yes.

from ActiveAdmin::SurveyPack.where("survey_schemas @> '{#{survey_schema}}'")

to ActiveAdmin::SurveyPack.where("survey_schemas @> '{?}'", survey_schema)

answered Dec 3, 2015 at 7:10

richfisher

9516 silver badges6 bronze badges

Hmm, this ActiveAdmin::SurveyPack.where("survey_schemas @> '{?}'", survey_schema) returns syntax error.

Something like this works properly: ActiveAdmin::SurveyPack.where("survey_schemas @> ?", '{"#{survey_schema}"}')