Possible sql injection

Question

Possible sql injection

I am using squeel gem in my project and I have code something like this:

def self.search(query)
    return self.scoped if query.blank?

    self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%#{query}%"])}
  end

My questions are - is this code vulnerable to SQL injection? And how do I fix this? I tried to do sanitize(query)

, but it just adds an extra set of quotes and the SQL statement fails appropriately generated

+3

ruby sql oracle ruby-on-rails-3 squeel

Gandalf stormcrow Apr 17 15 at 14:15

source to share

1 answer

dannypaz · Accepted Answer · 2015-04-17T22:10:44+0000

UPDATED:

Squeel will automatically delete the lines, so your query will be fine and won't open you up until the injection. See question on SQL Injection - Squeel - Github

OLD (INCORRECT) ANSWER: This is the active version of the record

Someone will correct me if I am wrong, but since you are passing in # {query} as STRING and not in an argument then you start doing injection. See the docs for passing arguments

Using arguments will avoid the 'STRING

Your request using arguments:

self.joins(:supplier).where{lower(supplier.supplier_name).like_any(["%"+?+"%"], query)}

Possible sql injection

More articles: