I have a query: @results = the_db.where(‘name LIKE ?’, ‘%#{input}%’).paginate( :page => params[:page], :per_page

Question

0

Asked: June 16, 20262026-06-16T02:30:59+00:00 2026-06-16T02:30:59+00:00

I have a query: @results = the_db.where(‘name LIKE ?’, ‘%#{input}%’).paginate( :page => params[:page], :per_page

0

I have a query:

@results = the_db.where('name LIKE ?', '%#{input}%').paginate(
    :page => params[:page], 
    :per_page => 50, 
    :group => "name", 
    :order => [
        "CASE WHEN name like '#{input}%' THEN 0 
        WHEN name like '% %#{input}% %' THEN 1
            END, name"
    ]
)

The problem is that this is vulnerable to injections. (The order clause) How do I solve this problem? Is it possible to somehow sanitize the user’s input to negate any attacks?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-16T02:31:00+00:00

You can use the sanitize_sql_array method. Unfortunately, it is a private method, so you have to call it with send.

query = <<-QUERY
CASE WHEN name like ? THEN 0 
     WHEN name like ? THEN 1
     END, name
QUERY

sanitized_order = ActiveRecord::Base.send :sanitize_sql_array, [query, "'#{input}%'", "'% %#{input}% %'"]

@results = the_db.where('name LIKE ?', '%#{input}%').paginate(
:page => params[:page], 
:per_page => 50, 
:group => "name", 
:order => sanitized_order)

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a query: @results = the_db.where(‘name LIKE ?’, ‘%#{input}%’).paginate( :page => params[:page], :per_page

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply