ruby on rails - Avoid sql injection ActiveRecord order -
i trying avoid sql injection when ordering need make sure nulls last.
query = books.order(@vals['order'] + ' nulls last')
but if take @vals['order'] api parameter susceptible sql injection. there better way form order avoid this?
if api, offer kinds of ordering api consumers , catch order criteria upfront in code (e.g. whitelisting approach).
if @evals['order'] == 'title' ordering = 'title' elsif @evals['order'] == 'published' ordering = 'created_at' else ordering = 'id' end query = books.order(ordering + ' nulls last')
it's not prettiest of codes, @ least safe without need parse parameter.
Comments
Post a Comment