How to safely escape raw sql with connection.select_all

I have a query I am mapping to a Struct that takes two parameters. What is the proper method for escaping the parameters to avoid sql injection issues with sqlite3, when using ActiveRecord::Base.connection.select_all? I have tried using ? but that does not seem to work at all I get an empty array. Simply sticking the variable into the string with #{} yields the expected results.

I think you can directly use the #quote method (from the ActiveRecord::ConnectionAdapters::Quoting module that’s mixed into your connection).

For example:

untrusted_user_input = “B%”
c = ActiveRecord::Base.connection
c.select_all “SELECT * FROM your_mom WHERE hair_color LIKE #{c.quote(untrusted_user_input)}”

All the normal AR find stuff is unavailable if you’re determined to directly use #select_all on your connection.

Hope that helps.

Thanks for the suggestion I will try it and report back.