ruby - prevent sql injection in rails -
i using following query find nearest locations google maps. immune sql injection. if not can me rid of it.
alphacourses.find_by_sql("select *,( 6371 * acos( cos( radians( #{@latitude} ) ) * cos( radians( latitude ) ) * cos( radians( longitude ) - radians( #{@longitude} ) ) + sin( radians( #{@latitude} ) ) * sin( radians( latitude ) ) ) ) distance alpha_courses having distance <= #{@radius} order distance limit 200") thanks in advance.
from: http://guides.rubyonrails.org/active_record_querying.html#pure-string-conditions
this code
....("orders_count = ?", params[:orders])is highly preferable code:
....("orders_count = #{params[:orders]}")because of argument safety. putting variable directly conditions string pass variable database as-is. means unescaped variable directly user may have malicious intent. if this, put entire database @ risk because once user finds out or can exploit database can it. never ever put arguments directly inside conditions string.
apply example!
Comments
Post a Comment