Safe ActiveRecord like query
To ensure that your query string gets properly sanitized, use the array or the hash query syntax to describe your conditions:
Foo.where("bar LIKE ?", "%#{query}%")
or:
Foo.where("bar LIKE :query", query: "%#{query}%")
If it is possible that the query
might include the %
character then you need to sanitize query
with sanitize_sql_like
first:
Foo.where("bar LIKE ?", "%#{sanitize_sql_like(query)}%")Foo.where("bar LIKE :query", query: "%#{sanitize_sql_like(query)}%")
Using Arel you can perform this safe and portable query:
title = Model.arel_table[:title]Model.where(title.matches("%#{query}%"))