I’m doing a query: @results = RubyGem.where( ‘name LIKE ?’, %#{searchphrase}% ).paginate( :page =>

Question

0

Asked: June 16, 20262026-06-16T00:37:49+00:00 2026-06-16T00:37:49+00:00

I’m doing a query: @results = RubyGem.where( ‘name LIKE ?’, %#{searchphrase}% ).paginate( :page =>

0

I’m doing a query:

    @results = RubyGem.where(
    'name LIKE ?', "%#{searchphrase}%"
    ).paginate(
        :page => params[:page], 
        :per_page => 50, 
        :group => "name", 
        :order => [
            "CASE WHEN name like '#{searchphrase}%' THEN 0 
            WHEN name like '% %#{searchphrase}% %' THEN 1 
            WHEN name like '%#{searchphrase}' THEN 2 
            ELSE 3 END, name"
        ]
    )

But I am pretty sure this is vulnerable to injections… Could someone fix this so it is not, while keeping the functionality the same? I am using Ruby on Rails and MySQL.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-16T00:37:50+00:00

Editorial Team

2026-06-16T00:37:50+00:00Added an answer on June 16, 2026 at 12:37 am

@results = RubyGem.where(
    'name LIKE ?', "%#{searchphrase}%"
).paginate(
     :page => params[:page], 
     :per_page => 50, 
     :group => "name", 
     :order => [
       "CASE WHEN name like ? THEN 0 WHEN name like  THEN 1 WHEN name like '%#{searchphrase}' THEN 2 ELSE 3 END, name", "#{searchphrase}%", "% %#{searchphrase}% %"
     ]
)

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m doing a query: @results = RubyGem.where( ‘name LIKE ?’, %#{searchphrase}% ).paginate( :page =>

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply