sqlrubyoracle-databaseruby-on-rails-3squeel

Possible sql injection


I'm using squeel gem in my project, and I have code something like this :

def self.search(query)
    return self.scoped if query.blank?

    self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%#{query}%"])}
  end

My questions is this code vulnerable to SQL injection? And how do I fix it? I tried to do sanitize(query) but it just adds extra set of quotes and the SQL statement doesn't get generated appropriately


Solution

  • UPDATED:

    Squeel will automatically escape strings, so your query is fine and won't open you up to injection. See question about sql injection - Squeel - Github

    OLD (INCORRECT) ANSWER: This is the active record version

    Someone correct me if i'm wrong, but since you are passing in #{query} as a STRING and not an argument, then you are opening yourself up to injection. See the docs for passing in arguments

    Using arguments will escape the 'query' STRING

    Your query using arguments:

    self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%"+?+"%"], query)}