Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m trying to sort some records in rails and I’m passing something like created_at DESC as the param, and was wondering — is the SQL properly escaped by ActiveRecord, or is this a bad way of doing it? I tried substituting with ? like I normally do with strings, but though I could get it to work in SQLite, PG threw an error.
Here’s what I’m doing that works — but wondering if it’s safe?
if params[:by]
@photos = Photo.find(:all, :order => params[:by])
else
...
If you use the Active Record Query Interface like you did above, Rails will perform the SQL sanitization. See http://guides.rubyonrails.org/active_record_querying.html