Sanitize an SQL order clause that might be tainted. Includes a whitelist option to limit the available columns to sort by and translate the given column names to actual table_name.column_name pairs.
Add this line to your application's Gemfile:
gem 'sanitize_order'
And then execute:
$ bundle
Or install it yourself as:
$ gem install sanitize_order
In your model, add
include SanitizeOrder
and in your controller safely set the order scope with
#sanitize_order(tainted_order)
or
#sanitize_order(tainted_order, whitelist)
where tainted_order is in the form of:
column_name direction, column_name direction, ...
direction is optional and can be ASC or DESC and defaults to ASC if not
given. Case is ignored.
For example:
country asc, start_date
A column name whitelist is used if given, otherwise columns are validated
directly against the table column names. column_name may be in the form:
table_column_name
or
table_name.table_column_name
The whitelist is a hash of allowed input table columns and the matching actual table and column names. For example:
{
'centre_id' => 'centre.id'
'enabled_at' => 'centre.enabled_date'
'disabled_at' => 'centre.disabled_date'
'features' => 'centre_features.name'
}
The whitelist is assumed clean and correct so no checking is done on its contents.