ruby on rails - Avoid sql injection ActiveRecord order -


i trying avoid sql injection when ordering need make sure nulls last.

query = books.order(@vals['order'] + ' nulls last') 

but if take @vals['order'] api parameter susceptible sql injection. there better way form order avoid this?

if api, offer kinds of ordering api consumers , catch order criteria upfront in code (e.g. whitelisting approach).

if @evals['order'] == 'title'   ordering = 'title' elsif @evals['order'] == 'published'   ordering = 'created_at' else   ordering = 'id' end  query = books.order(ordering + ' nulls last') 

it's not prettiest of codes, @ least safe without need parse parameter.


Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -