I have a query I am mapping to a Struct that takes two parameters. What is the proper method for escaping the parameters to avoid sql injection issues with sqlite3, when using ActiveRecord::Base.connection.select_all? I have tried using ? but that does not seem to work at all I get an empty array. Simply sticking the variable into the string with #{} yields the expected results.
I think you can directly use the #quote method (from the ActiveRecord::ConnectionAdapters::Quoting module that’s mixed into your connection).
For example:
untrusted_user_input = “B%” c = ActiveRecord::Base.connection c.select_all “SELECT * FROM your_mom WHERE hair_color LIKE #{c.quote(untrusted_user_input)}”
All the normal AR find stuff is unavailable if you’re determined to directly use #select_all on your connection.
Hope that helps.
Thanks for the suggestion I will try it and report back.