Write Safer Where Clauses With Placeholders

Ruby has a super ergonomic syntax for string interpolation. This can make it tempting to build up ActiveRecord where clauses like so:

def get_book_by_title(title)
  Book.where("lower(title) = #{title.downcase}")
end

The where clause, as written, is vulnerable to a SQL injection attack.

There are two kinds of placeholder syntax that you can use instead handle sanitization of the SQL.

def get_book_by_title(title)
  Book.where("lower(title) = ?", title.downcase)
end

You can use multiple ? in the query and they same number of following arguments will be interpolated in order.

There is also the keyword placeholder syntax which can give you more flexibility and make the SQL read more clearly.

def get_book_by_title(title)
  Book.where("lower(title) = :title", title: title.downcase)
end

Last updated 4 years ago

Was this helpful?