Escaping single quotes in text fields in Ruby on rails 3
Question
I am stuck at an issue where my application should be able to add users to the database with an apostrophe, eg:
firstname.l'astname@example.comorfir'stname.lastname@example.comu'ser.nameoruser.n'ame
Apostrophe can exist anywhere in the name of the user.
There are two ways to add a user: either by email or by username.
Is it possible to add a user in the above format? Is there any method that can ignore the apostrophe from text/input fields in ERB or anywhere else in the app?
I am updating this post with the error message :
Processing by UsersController#create as HTML
Parameters: {"utf8"=>"â", "authenticity_token"=>"Pnn4bO6ECFSmFQTM38ecb2F11UacNbeB5MRBPGVbY2s=", "user"=>{"email"=>"", "fullname_login"=>"a'pple.mac", "password"=>"[FILTERED]"}, "commit"=>"Create user"}
Completed 500 Internal Server Error in 58ms
ActiveRecord::StatementInvalid (PG::Error: ERROR: syntax error at or near "pple"
LINE 1: ...FROM "users" WHERE (users.fullname_login ILIKE 'a'pple.mac')...
^
: SELECT "users".* FROM "users" WHERE (users.fullname_login ILIKE 'a'pple.mac') LIMIT 1):
app/models/user.rb:38:in `case_insensitive_find_by_fullname_login'
app/controllers/users_controller.rb:26:in `create'
1 answers
solution1
2 2014-09-16 21:58:31
Looking at your error, I guess you're searching for the fullname_login in a similar way:
User.where("fullname_login ILIKE '#{params[:fullname_login]}'")
THIS IS VERY BAD because it can lead to SQL injections . Instead of that form you should pass an array or an hash, so Rails can escape SQL values automatically:
User.where(["fullname_login ILIKE ?", params[:fullname_login]])
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.