Home/ Questions/Q 6892447
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T06:32:11+00:00

@usersfound = User.find_by_sql([ SELECT * from users where name @@ plainto_tsquery(‘english’, ?) LIMIT 20

  • 0
@usersfound = User.find_by_sql(["

SELECT * from users where name @@ plainto_tsquery('english', ?) LIMIT 20 offset ?

  ",@query,@offset])

See above, is this safe from sql injection? I am very new to doing direct sql commands on a database in rails. (I am aware there may be other ways of doing this SPECIFIC query, but I am wondering if in general, using find_by_sql and that kind of insertion of vars is safe – I have some difficult queries with subselects and joins that are really possible to do with ActiveRecord.

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, that should be safe. If you trace through the code you’ll find that your find_by_sql call ends up calling PGconn#send_query_prepared with the bind parameters being carried along as little more than baggage; the send_query_prepared method is just a wrapper for the PQsendQueryPrepared API call in libpq:

    static VALUE
pgconn_send_query_prepared(int argc, VALUE *argv, VALUE self)
{
    /* ... bunch of boiler plate marshalling stuff ... */
    result = PQsendQueryPrepared(conn, StringValuePtr(name), nParams, 
        (const char * const *)paramValues, paramLengths, paramFormats, 
        resultFormat);
    /* ... */
}

    The bind parameters end up in paramValues. So you should be fine unless there are bugs in PostgreSQL’s C library prepared statement handling.

    • 0