Skip to content
Permalink
Browse files Browse the repository at this point in the history
Recommended way to avoid SQL injection
  • Loading branch information
briandamaged committed Nov 23, 2014
1 parent 44f388a commit d3efa17
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions search.rb
Expand Up @@ -13,6 +13,19 @@ def search_first_name
def search_last_name
print "Last name: "
last_name = gets.chomp

### FYI: This is vulnerable to SQL injection.
### Consider using the following form of
### the #where clause instead:
###
### Person.where("last_name LIKE ?", "%#{last_name}%")
###
### This will ensure that the data is
### properly escaped. (BTW: I suspect the
### reason that this didn't work the other
### day was because you used 'single quotes'
### instead of "double quotes")
###
people = Person.where("last_name LIKE '%#{last_name}%'")
return people
end
Expand Down

0 comments on commit d3efa17

Please sign in to comment.