I'm using squeel gem in my project, and I have code something like this :
def self.search(query)
return self.scoped if query.blank?
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%#{query}%"])}
end
My questions is this code vulnerable to SQL injection? And how do I fix it? I tried to do sanitize(query)
but it just adds extra set of quotes and the SQL statement doesn't get generated appropriately
UPDATED:
Squeel will automatically escape strings, so your query is fine and won't open you up to injection. See question about sql injection - Squeel - Github
OLD (INCORRECT) ANSWER: This is the active record version
Someone correct me if i'm wrong, but since you are passing in #{query} as a STRING and not an argument, then you are opening yourself up to injection. See the docs for passing in arguments
Using arguments will escape the 'query' STRING
Your query using arguments:
self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%"+?+"%"], query)}