mysql ruby-on-rails select sql-injection sanitization

How to use the '?' symbol in a MySQL select in Ruby On Rails?

I need to get the pertinence of a MySQL Fulltext search in my Rails 4.2 app. So I need an alias (pertinence) in the select clause.

The problem is to use the '?' symbol as in a where clause, but in a select:

Model.select("articles.*, MATCH (name) AGAINST (? IN BOOLEAN MODE) AS pertinence", @search).where(...).order("pertinence DESC")

If I do:

Model.select('articles.*, MATCH (name) AGAINST ("' + @search + '" IN BOOLEAN MODE) AS pertinence').where(...).order("pertinence DESC")

I can have issues with quotes in @search (no sanitization) and SQL injection.

So how to perform this kind of queries with Active Record ?

Thanks

Solution

You can manually sanitize the search parameter.

search_param = ActiveRecord::Base::sanitize(@search)

Model.select("articles.*, MATCH (name) AGAINST (#{search_param} IN BOOLEAN MODE) AS pertinence").where(...).order("pertinence DESC")

Distinguish between two maximum values in a column with Power Query
Power Query Conditional JOIN - JOIN with WHERE clause
Calculate combinations for a range of text values in excel
How to update a column's values in Power BI M Language
What's the difference between DAX and Power Query (or M)?
Sorting issue when consolidating monthly data into a year to date file. Using query, sorting by day, time, and letter
Power Query `List.Generate` runs too slow
Custom Colum based on specific dates in powerquery
How do I properly use table.group in a PowerQuery query to dynamically summarize different rows and columns?
Excel Power Query syntax issue transform multiple columns of records
How to capitalize only first letter of a sentence
Power Query Import For Power BI with group by on SelectRows
Get data from config table cell when loading data source with power query
Translate Excel Formula into Power Query
Counting matching pairs of letters in lists of bigrams in Power Query M
Bigrams of a string in Power Query M
Power Query code to refer to another query (and how buffering works)
M code for the equivalent of of Left (string, len(string)-11)
How to add a missing column to the Transform Sample File
How to add or insert ' (single quotes) for every string in a list in which strings are separated by commas in Power Query
Power BI M code Split column from Lowercase to Uppercase won't include diacritics (accents)
M Code(Power Query) to Remove Empty columns that runs fast
How to find the value with date closest to another date
Error when build AOSP 14 - internal error: undefined variable CTS_TEST_SUITES_DEFAULT
Call a table using a dynamic identifier
Problem getting the value from a cell using M in excel
How to rename columns based on the data within them in Power Query M?
Power Query return a field name based on parameter
Power Query: after combining 2 tables got something strange
Token Literal Expected Error in Power Query M Code using try and List.MatchesAny