lundi 6 février 2017

ruby on rails prepared statement for oracle view/function

I have the following code which executes an oracle view as follows:

def run_query
    connection.exec_query(
      "SELECT * FROM TABLE(FN_REQRESP(#{type_param},
                                      #{search_type_param},
                                      #{tid_param},
                                      #{last_param},
                                      #{key_param},
                                      #{tran_id_param},
                                      #{num_param},
                                      #{start_date_param},
                                      #{end_date_param}))")
end

The output of the above query is as follows:

SELECT * FROM TABLE(FN_REQRESP('ALL',
 'ALL_TRAN',
 '100007',
 '',
 '',
 '',
 '',
 TO_DATE('27-January-2017','dd-MON-yy'),
 TO_DATE('31-January-2017','dd-MON-yy'))) 

The problem is that above query has a SQL injection vulnerability.

So, i tried to add a prepare statement as follows:

 connection.exec_query('SELECT * FROM TABLE(FN_REQRESP(?,?,?,?,?,?,?,?,?))','myquery',[type_param,search_type_param,tid_param,last_param,key_param,tran_id_param,num_param,start_date_param,end_date_param])

I get the following error now:

NoMethodError: undefined method `type' for "'ALL'":String: SELECT * FROM TABLE(FN_REQRESP(?,?,?,?,?,?,?,?,?))

It's the single quotes that messing it up I beleive. Is there a way to overcome this?

Aucun commentaire:

Enregistrer un commentaire