ruby-on-rails ruby sql-injection escaping

Safely escape strings for SQL fragments for joins, limits, selects, and so on (not conditions) on Rails

In Ruby on Rails, for conditions, it's easy to make SQL-injection-proof queries:

:conditions => ["title = ?", title]

where title comes from the outside, from a web form or something like that.

But what if you are using SQL fragments in other parts of the query, like:

:select => "\"#{title}\" AS title"   # I do have something like this in one instance
:joins => ["LEFT JOIN blah AS blah2 ON blah2.title = \"#{title}\""]

Is there a way to properly escape those strings?

Solution

Typically in Rails, joins are done as a symbol (or as a hash for second-order joins) representing an id join, and you use the conditions to filter it down. If you need to do it as shown, then you can use ActiveRecord's sanitize_sql_array to clean a SQL string, like this:

sanitize_sql_array(["LEFT JOIN blah AS blah2 ON blah2.title = ?", @blah.title])

How can I disable Hotwire / Turbo (the Turbolinks replacement) for all forms in a Rails application?
RSpec Stubbing out Date.today in order to test a method
How to specify a prefix when uploading to S3 using activestorage's direct upload?
Duration between two dates in Ruby (Rails)
CMS for ecommerce website in rails
Ruby gsub capturing groups
Can I switch to Amazon S3 later in Rails 7 after using local storage?
Rails 7/StimulusJS relative import: working on dev, but not production
Rails: ActiveSupport::MessageEncryptor::InvalidMessage
How can I unlock my gemfile so I can access the rails server?
What do I pass to schema_migration in ActiveRecord::MigrationContext#new
How do I stop Routing Errors errors from causing all sorts of warning?
Where do you put your Rack middleware files and requires?
How to prevent the <p> tag from wrapping around my input with tinymce in Rails?
Clickable Table Rows in Ruby on Rails
How to determine if one array contains all elements of another array
Adding page-specific CSS to Rails Asset Pipeline
Rails 7.1, log to STDOUT and log/production.log
Add custom fields to object in ROR application
Hit web endpoints behind Devise authentication with non-browser request in a Rails app
How to revert/undo local changes to an Activerecord object?
Disabling GraphQL introspection requests on production
carrierwave png thumbnails from svg upload
When rails app create database and collection when using MongoDb?
Sidekiq sending jobs to test queue instead of developement queue
rails assert_difference without specific difference value
How best to propogate an `admin` status to children using Rails and Ancestry
Rails minitest + authlogic cannot authenticate
How does bundler work (in general)?
`belongs_to` and `before_create` order in Rails