I’m attempting to avoid any SQL injection vulnerabilities by substituting with my params on

Question

0

Asked: June 17, 20262026-06-17T21:15:07+00:00 2026-06-17T21:15:07+00:00

I’m attempting to avoid any SQL injection vulnerabilities by substituting with my params on

0

I’m attempting to avoid any SQL injection vulnerabilities by substituting with my params on a join.

Category.joins("LEFT OUTER JOIN incomes ON incomes.category_id = categories.id AND incomes.dept_id = ?", params[:Dept])

This attempts to execute the query with a question mark in it, instead of substituting it for the param. What is the proper way to do this?

EDIT:

Query needs to return this:

SELECT categories.* 
FROM "categories" 
LEFT OUTER JOIN incomes 
ON incomes.category_id = categories.id AND incomes.dept_id = 86

not

SELECT categories.* 
FROM "categories" 
LEFT OUTER JOIN incomes 
ON incomes.category_id = categories.id 
WHERE incomes.dept_id = 86

Very different results!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-17T21:15:09+00:00

One option is to use the sanitize_sql_array method. It is, however, a protected method so on your Category model you could do:

class Category < ActiveRecord::Base
  def self.income_for_dept(dept)
    Category.joins(sanitize_sql_array(["LEFT OUTER JOIN incomes ON incomes.category_id = categories.id AND incomes.dept_id = ?", dept]))
  end
end

Then you would call it like:

Category.income_for_dept(params[:Dept])

Ruby provides some other methods, if need be, to get at that method without making a class method in Category.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m attempting to avoid any SQL injection vulnerabilities by substituting with my params on

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply