mysql ruby-on-rails select sql-injection sanitization

How to use the '?' symbol in a MySQL select in Ruby On Rails?

I need to get the pertinence of a MySQL Fulltext search in my Rails 4.2 app. So I need an alias (pertinence) in the select clause.

The problem is to use the '?' symbol as in a where clause, but in a select:

Model.select("articles.*, MATCH (name) AGAINST (? IN BOOLEAN MODE) AS pertinence", @search).where(...).order("pertinence DESC")

If I do:

Model.select('articles.*, MATCH (name) AGAINST ("' + @search + '" IN BOOLEAN MODE) AS pertinence').where(...).order("pertinence DESC")

I can have issues with quotes in @search (no sanitization) and SQL injection.

So how to perform this kind of queries with Active Record ?

Thanks

Solution

You can manually sanitize the search parameter.

search_param = ActiveRecord::Base::sanitize(@search)

Model.select("articles.*, MATCH (name) AGAINST (#{search_param} IN BOOLEAN MODE) AS pertinence").where(...).order("pertinence DESC")

Will modifying the primary key type using ALTER in MySQL reset the auto-increment value to 0?
Auto-increment is not resetting in MySQL
Php update database if checkbox is not checked
Retrieve 10 records from MySQL?
how to use str_to_date (MySQL) to parse two-digit year correctly
sum column value(s) if previous values has same value with current value from the same table in mysql
JDBC connection without database definition
Checking connection to MySQL (Java)
WARN: Establishing SSL connection without server's identity verification is not recommended
how to solve django.db.utils.NotSupportedError in django
How to make an Inner Join in django?
Can I order by a conditional combination of fields in MySQL?
Select from 2 tables in the last 30 days, return 0 if null/not exist
Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (38)
Access denied for user 'root@localhost' (using password:NO)
Watching a table for change in MySQL?
table is specified twice both as a target for INSERT and as separate source of data
Python Mysql, "commands out of sync; you can't run this command now"
Does Laravel's "soft_delete" need index on MySQL?
How do I access a field from the main query inside a sub query in mySQL?
Not getting unpaid or partially paid records some can help me?
Warning: The post-install step did not complete successfully when trying to install mysql using brew in Mac OS High Sierra
MySQL Entity Attribute Value table structure proposal
CodeIgniter SELECT query on table with JOIN and WHERE IN a subquery
is there a MYSQL tables schema for storing raw material, intermediate and final products?
MySQL: Total GROUP BY WITH ROLLUP curiosity
Problem with pip install mariadb - mariadb_config not found
nodejs mysql memory leak on large volume of high frequency queries
`MODIFY COLUMN` vs `CHANGE COLUMN`
Displaying BLOB image from Mysql database into dynamic div in html