mirror of
https://github.com/jbranchaud/til
synced 2026-01-03 23:28:02 +00:00
36 lines
967 B
Markdown
36 lines
967 B
Markdown
# Write Safer Where Clauses With Placeholders
|
|
|
|
Ruby has a super ergonomic syntax for string interpolation. This can make it
|
|
tempting to build up ActiveRecord `where` clauses like so:
|
|
|
|
```ruby
|
|
def get_book_by_title(title)
|
|
Book.where("lower(title) = #{title.downcase}")
|
|
end
|
|
```
|
|
|
|
The `where` clause, as written, is vulnerable to a SQL injection attack.
|
|
|
|
There are two kinds of placeholder syntax that you can use instead handle
|
|
sanitization of the SQL.
|
|
|
|
```ruby
|
|
def get_book_by_title(title)
|
|
Book.where("lower(title) = ?", title.downcase)
|
|
end
|
|
```
|
|
|
|
You can use multiple `?` in the query and they same number of following
|
|
arguments will be interpolated in order.
|
|
|
|
There is also the keyword placeholder syntax which can give you more
|
|
flexibility and make the SQL read more clearly.
|
|
|
|
```ruby
|
|
def get_book_by_title(title)
|
|
Book.where("lower(title) = :title", title: title.downcase)
|
|
end
|
|
```
|
|
|
|
[source](https://devdocs.io/rails~5.2/activerecord/querymethods#method-i-where)
|