tags:

views:

83

answers:

4
+1  Q: 

Rails 3: sql injection free queries

I love new Rail 3!

The new query syntax is so awesome:

users = User.where(:name => 'Bob', :last_name => 'Brown')

But when we need to do something like 

SELECT * FROM Users WHERE Age >= const AND Money > const2

We have to use 

users = User.where('Age >= ? and money > ?', const, const2)

Which is not very cool. The following query is not safe because of SQL injection:

users = User.where('Age >= #{const} and money > #{const2}')

I like the C#/LINQ version

var users = DB.Where(u => u.Age >= const && u.Money > const2);

Is there a way to do something like that in Rails?

+2  A: 

In Rails 3 you can chain these selections together. I'm not up on the specific syntax, but this is a good start: http://railscasts.com/episodes/202-active-record-queries-in-rails-3

The basic concept is that you can chain together scopes or where clauses, etc:

meta-code here:

users = User.where(:age_of_consent).where(:has_credit)

scope :age_of_consent where("age >= ?", 18)
scope :has_credit where("credit > ?", 10)
Jed Schneider  2010-07-31 12:35:47
+2  A: 

You might be interested in MetaWhere with which you can write:

users = User.where(:age >= const, :money > const2)
Bryan Ash  2010-07-31 12:49:38
+1  A: 

You can pass a hash of named parameters to your query which is an improvement over the anonymous positional parameters.

users = User.where('Age >= ? and money > ?', const, const2)

becomes (is is more similar to the LINQ syntax)

users = User.where('Age >= :const and money > :const2', {:const => const, :const2 => const2})
bjg  2010-07-31 12:53:00
+1  A: 

The new querying with rails isn't vulnerable to SQL injection. Any quotes in the argument are escaped.

Rails 3 AR has gained the delayed execution that LINQ has had for a while. This lets you chain any of the query methods. The only time you have to put 2 or more parts into a where is when you want an OR.

That aside, there are many different ways to do your query.

Users.where('age >= ?', age).where('money > ?', money)
Users.where('age >= ? and money > ?', age, money)

class User < ActiveRecord::Base
  scope :aged, lambda { |age| where('age >= ?', age) }
  scope :enough_money, lambda { |money| where('money > ?', money) }

  scope :can_admit, lambda { |age, money| aged(age).enough_money(money) }
end

Users.aged(18).enough_money(200)
Users.can_admit(18, 200)
Samuel  2010-07-31 17:25:56
Thanks! That's what I was looking for.
Alex  2010-08-03 07:01:10

related questions

How to find an implementation of a C# interface in the current assembly with a specific name?
Learning about LINQ
LINQ to SQL Mapping From Money to Double
SQL Server 2008 vs 2005 Linq integration
Aging Data Structure in C#
LINQ-to-SQL vs stored procedures?
LINQ, entity that implements Interface and exception in mapping
How can I remove nodes from a SiteMapNodeCollection?
Conditional Linq Queries
LINQ query on a DataTable
Expression.Invoke in Entity Framework?
How to return a page of results from SQL?
Import Namespace System.Query
Has anyone run performance benchmarks comparing LINQ
Beginners Guide to LINQ
Querying like Linq when you don't have Linq.
Linq to objects - select first object
C# 3.0 Where extension method with lambda vs LINQtoObjects to filter in memory collections.
How much database performance overhead when using LINQ?
LinqDataSource - Can you limit the amount of records returned?
LINQ on the .NET 2.0 Runtime
How do I most elegantly express left join with aggregate SQL as LINQ query
How do you page a collection with LINQ?
How do I get a distinct, ordered list of names from a DataTable using Linq
How do I fill a DataSet or a DataTable from a LINQ query resultset ?