Am used to working with PHP and Prepared statement, now when i was looking at the following piece of code from rails ( since i a new to rails and Not sure about the syntax and stuff ) , i was wondering if the code is prone to SQLI injection
Code snippet (controller ) , param q is the value from a search box :
def index
query = %w(% %).join params[:q].to_s.gsub('%', '\\%').gsub('_', '\\_')
@posts = Post.where("name LIKE ? OR body LIKE ?", query, query).order(params[:order])
end
Thanks
Aucun commentaire:
Enregistrer un commentaire