How to sanitize Rails API params
The examples from your question are all protected against SQL injection automatically.
Relevant quotes from the official Rails Guides:
7.2.1 Introduction
SQL injection attacks aim at influencing database queries by manipulating web application parameters. A popular goal of SQL injection attacks is to bypass authorization. Another goal is to carry out data manipulation or reading arbitrary data. Here is an example of how not to use user input data in a query:
Project.where("name = '#{params[:name]}'")
Then later in the same document:
7.2.4 Countermeasures
Ruby on Rails has a built-in filter for special SQL characters, which will escape
'
,"
, NULL character, and line breaks. UsingModel.find(id)
orModel.find_by_some thing(something)
automatically applies this countermeasure. But in SQL fragments, especially in conditions fragments (where("...")
), theconnection.execute()
orModel.find_by_sql()
methods, it has to be applied manually.Instead of passing a string, you can use positional handlers to sanitize tainted strings like this:
Model.where("zip_code = ? AND quantity >= ?", entered_zip_code, entered_quantity).first
The first parameter is a SQL fragment with question marks. The second and third parameter will replace the question marks with the value of the variables.
You can also use named handlers, the values will be taken from the hash used:
values = { zip: entered_zip_code, qty: entered_quantity } Model.where("zip_code = :zip AND quantity >= :qty", values).first
Additionally, you can split and chain conditionals valid for your use case:
Model.where(zip_code: entered_zip_code).where("quantity >= ?", entered_quantity).first