At the moment, my code looks like this:
@events = Event.tagged_with(params[:search_input])
But such a query allows SQL-Injections and should be avoided.
Rubyonrails.org tells us, how to avoid such attacks (http://guides.rubyonrails.org/security.html#sql-injection)
For example, using questionmarks:
Model.where("login = ? AND password = ?", entered_user_name, entered_password).first
However, I don't know, how to sanitize the user input for this gem. I tried the following:
@events = Event.tagged_with("?", "%#{params[:search_input]}%")
But this leads to the following error:
TypeError (no implicit conversion of Symbol into String):
Any ideas, how to sanitize this input? Thanks in advance!
In this case, the acts_as_taggable_on gem is handling the sanitization for you. All you need to do is pass your params value to the gem. Try this:
@events = Event.tagged_with(params[:search_input])
Typically, you would use the approach that you were attempting when you interact directly with ActiveRecord. In this case, acts_as_taggable_on is doing all of that for you, internally, using the query parameter mechanism. The interface to the gem doesn't allow you to also use parameterization, which is what caused the error.