how to escape a string before insert or update in Ruby

ruby activerecord sql-injection mysql-real-escape-string
ywenbo picture ywenbo · Dec 24, 2010 · Viewed 9.5k times · Source

In ruby ActiveRecord doesn't provide dynamic binding for update and insert sqls, of course i can use raw sql, but that need maintain connection, so i want to know if there is simpler way to escape update or insert sql before executing like code below:

ActiveRecord::Base.connection.insert(sql)

i think i can write code by gsub, but i know if there has been a ready method to do it.

Answer

rantler picture rantler · Sep 1, 2012

In Rails >= 3.2.5 the following works for me:

evil_input = '"\';%#{}\"foo'
ActiveRecord::Base.connection.quote(evil_input)
=> "'\"'';%\#{}\\\"foo'"

Related questions

How to drop columns using Rails migration

What's the syntax for dropping a database table column through a Rails migration?

Read More
Rails Active Record find(:all, :order => ) issue

I seem to be unable to use the ActiveRecord::Base.find option :order for more than one column at a time. For example, I have a "Show" model with date and attending columns. If I run the following code: @shows = …

Read More
How to get last N records with activerecord?

With :limit in query, I will get first N records. What is the easiest way to get last N records?

Read More