Safe way to send parameters to stored procedure in ROR

Question

I will make simpler than it is to get the answer I need without make you read a lot of code.

MySQL stored procedure:

CREATE PROCEDURE add_player
(IN name varchar(100),
 IN isTrue boolean)
BEGIN
  START TRANSACTION;

  insert into tags (name,is_player) values (name,isTrue);

  COMMIT;
END //

player_controller.rb

ActiveRecord::Base.connection.execute("call add_player('#{name}', #{is_player})")

Two problems I see(if you see more - say):

if name contains ' it breaks the call
sql injection - I don't use ? as parameters when I call the stored procedure. The reason is that it's just not working when I'm try with ?. I tried also change it to Player.where("add_player(?,?)",name,is_player)

score 0 · Accepted Answer · edited May 23 '17 at 11:43

0

Did you try something like this ?

ActiveRecord::Base.connection.execute("call add_player(#{ActiveRecord::Base.sanitize(name)}, #{is_player})")

There is another way suggested on the following SO link

using sanitize_sql_array to escape strings

The only problem is that sanitize_sql_array is not a public method

edited May 23 '17 at 11:43

Community

1
1

answered Aug 29 '15 at 16:11

Kinaan Khan Sherwani

1,504
16
28

Safe way to send parameters to stored procedure in ROR

1 Answers1