I'm building a search for my website and I'm trying to use the search query by splitting it to terms and then search by subcategory or short_description:
whereQuery = ''
declared(params).search.downcase.split(' ').each_with_index do |searchTerm, index|
if index != 0
whereQuery += ' and ';
end
whereQuery += '(lower(short_description) like "%'+searchTerm+'%" or lower(subcategory) like "%'+searchTerm+'%")'
end
orders.where(whereQuery).order(number_of_purchases: :desc, rating: :desc)
Is there a better/safer way to avoid SQL INJECTION with this query?
Use ActiveRecord chaining:
orders = Order
declared(params).search.downcase.split(' ').each do |searchTerm|
orders = orders.where('(LOWER(short_description) LIKE ? OR LOWER(subcategory) LIKE ?', "%#{searchTerm}%", "%#{searchTerm}%")
end
orders = orders.order(number_of_purchases: :desc, rating: :desc)