Rails string injection adds quotations marks
Question
I am trying to enter a letter given by the get request into a Like statment in tails 3. So far I have the following code:
@entries = Entry.where("key LIKE '?%'", params[:letter]).order(:key)
Problem is it is creating the wrong kind of sql query adding quotation marks around the injected letter. it creates the following sql for :letter => 'a':
SELECT "entries".* FROM "entries" WHERE (key LIKE ''a'%') ORDER BY key
Instead of:
SELECT "entries".* FROM "entries" WHERE (key LIKE 'a%') ORDER BY key
How can I fix this?
1 answers
solution1
4 ACCPTED 2012-10-03 22:30:10
@entries = Entry.where("key LIKE ?", "#{params[:letter]}%").order(:key)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Upgrade to Rails 4.2.0: string literals in where conditions wrapped into quotation marks
Rails 2 database model returns bad encoded string with question marks
How to remove html marks from string in rails 1.2.5
CSV.generate adds quotation marks to strings
Rails escape characters for two layers of quotations
Rails adds `AND (1=0)` to queries
Rails. How to remove quotation marks from query conditions when using a placeholder and string?
Rails controller adding quotation marks
sql injection in rails
Rails SQL injection vulnerability
Related Tags