Is this SQL possible with Rails? How can I sanitize?

11155 · February 5, 2010, 7:09pm

I want to do something like this in Rails: "SELECT *, COUNT(post_id) AS total FROM comments ... conditions"

Is that SELECT possible in Rails. Ohterwise, I can use find_by_sql, but i'm trying to avoid SQL injection and this SQL needs a parameter. Is there a way to sanitize this parameter?

I'll appreciate any help

pharrington · February 5, 2010, 7:30pm

"You can use the same string replacement techniques as you can with ActiveRecord#find."

http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M002267

alternatively, does :select => "*, COUNT(post_id) AS total" in your Comments.find work?

11155 · February 5, 2010, 8:46pm

Thanks a lot, find_by_sql worked! I tried to do the same, but I did not use the . I tried :select => ... also before asking, but that did not work.

pharrington wrote:

11155 · February 5, 2010, 8:56pm

I tried :select => ... also before asking, but that did not work.

Mind showing us the query? It should work I belive...

Topic		Replies	Views
Is find(params[:id]) safe? rubyonrails-talk	4	190	July 27, 2008
XSS and SQL Injection attacks rubyonrails-talk	1	113	August 1, 2008
sanitize_sql and the "%" symbol rubyonrails-talk	3	164	September 7, 2006
Complex Finds -- find_by_sql? rubyonrails-talk	1	139	July 29, 2009
find_by_sql issues... rubyonrails-talk	8	151	September 22, 2008

Is this SQL possible with Rails? How can I sanitize?

Related topics

More Resources