This query works, but is totally open to SQL injection: products = Product.find(pids, :select

Question

0

Asked: June 9, 20262026-06-09T05:48:34+00:00 2026-06-09T05:48:34+00:00

This query works, but is totally open to SQL injection: products = Product.find(pids, :select

0

This query works, but is totally open to SQL injection:

products = Product.find(pids,
  :select => 'products.*, P.code',
  :joins => "left join product_dist_match P on
    (P.pid = products.pid and P.cid = #{cid})",
)

How can I properly escape the cid variable? The conditions parameter allows the format ['foo = ?', bar] for this purpose, but joins does not.

I don’t want to use find_by_sql because then I would need to add the joins and conditions which are part of the model’s default scope (that would not be DRY).

Edit: My table structure is essentially this:

products: pid (primary key)
product_dist_match: pid, cid, code
customers (not used in the query): cid (primary key)

Note that this is a read-only database which Rails only has limited involvement with. I am not planning to set up models for all the tables; I just want to do a simple query as described above, without exposing myself to SQL injection attacks.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-09T05:48:36+00:00

Editorial Team

2026-06-09T05:48:36+00:00Added an answer on June 9, 2026 at 5:48 am

The answer I found is to use the .sanitize method on the model:

products = Product.find(pids,
  :select => 'products.*, P.code',
  :joins => 'left join product_dist_match P on
    (P.pid = products.pid and P.cid = ' + Product.sanitize(cid) + ')',
)

If you find a better solution, please post it!

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

This query works, but is totally open to SQL injection: products = Product.find(pids, :select

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply