Home/ Questions/Q 280499
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T05:07:25+00:00

I need to create a simple search but I can’t afford to use Sphinx.

  • 0

I need to create a simple search but I can’t afford to use Sphinx.

Here’s what I wrote:


keywords = input.split(/\s+/)
queries = []

keywords.each do |keyword|
  queries << sanitize_sql_for_conditions(
              "(classifications.species LIKE '%#{keyword}%' OR 
               classifications.family LIKE '%#{keyword}%' OR 
               classifications.trivial_names LIKE '%#{keyword}%' OR
               place LIKE '%#{keyword}%')")
end

options[:conditions] = queries.join(' AND ')

Now, sanitize_sql_for_conditions does NOT work! It returns simply returns the original string.

How can I rewrite this code to escape malicious code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you replace the “#{keyword}” with a “?”, you can do something like this. Using the question mark will automatically sanitize SQL.

    keywords = input.split(/\s+/)
queries = []
vars = []

keywords.each do |keyword|
  queries << "(classifications.species LIKE '%?%' OR 
               classifications.family LIKE '%?%' OR 
               classifications.trivial_names LIKE '%?%' OR
               place LIKE '%?%')"
  vars = vars << keyword << keyword << keyword << keyword
end

options[:conditions] = [queries.join(' AND '), vars].flatten
    • 0