Search code examples
ruby-on-railsrubyruby-on-rails-4activerecordransack

How to avoid SQL Injection in Rails with Ransack

How can we remove SQL blind injection in the following method?

def self.with_translation_value_of_language_id_eq(language_id)
    joins('LEFT JOIN BOTranslationValue on BOTranslationToken.id = BOTranslationValue.boTranslationTokenID '\
          "AND BOTranslationValue.languageID = #{language_id}")
      .select('BOTranslationToken.*, BOTranslationValue.value as current_language_value')
  end

I have tried sanitize_sql_array but it is not working.

And the following way as well

def self.with_translation_value_of_language_id_eq(language_id)
    joins('LEFT JOIN BOTranslationValue on BOTranslationToken.id = BOTranslationValue.boTranslationTokenID '\
          "AND BOTranslationValue.languageID = ?" language_id )
      .select('BOTranslationToken.*, BOTranslationValue.value as current_language_value')
  end

I tried multiple ways but none of it worked.

Can anyone help me with this?

Solution

  • You forgot to add comma , after ?, and you are not passing the correct where condition, Assuming that BOTranslationValue and BOTranslationToken are the correct table names, try the below query:

    def self.with_translation_value_of_language_id_eq(language_id)
  joins('BOTranslationValue on BOTranslationToken.id = BOTranslationValue.boTranslationTokenID ')
 .where("BOTranslationValue.languageID = ?", language_id)
 .select('BOTranslationToken.*, BOTranslationValue.value as current_language_value')
end