Create from params and secure searching

I ran on issue.

I have users created with User.create(params[:form]) and this is secure, in terms of SQL injection. And how I should find user by email using find with :conditions?

Create method does not escape @ sign, but :conditions => ["email = ?", params[:email]]) does escape, so user@domain (inserted to DB by create method) is something different than user%40domain (queried by find with :conditions).

I wonder how properly create :conditions statement. Of course User.find_by_email is secure (escapes ‘) and finds users by email since it does not escape @, but how to create more complicated queries with :conditions and be SQL injection safe?

I’m going to sleep, maybe tomorrow I find out right solution.

Join the Conversation

2 Comments

  1. I use MySQL too and You are right.

    My Rails Rumble participation resulted in no updating blog :)

    It was late night when I wrote this entry and did not found a reason. Somewhere on validating email format (if it has proper format) I did CGI::escape on this string. And thus @ become %40….

    CGI::escape ‘test@example.com’
    => “test%40example.com”

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.