Recently, we were trying to write a <code>similarity(...)</code> query in Postgres, and needed to pass in a parameter into a <code>SELECT</code> clause. Brakeman came back saying that we had a <code>Possible SQL Injection</code>. After looking at the code, we were directly interpolating the input into the SQL string, so it was absolutely right:
<pre><code class="lang-ruby">def self.with_similarity_to(cpu)
 select("similarity(cpu, #{cpu}) as similarity", '*')
end
</code></pre>
Typically to solve this kind of problem, you can use <code>?</code>s in your query and Rails will <a target="_blank" href="https://guides.rubyonrails.org/active_record_querying.html#array-conditions">replace them automatically</a>:
<pre><code class="lang-ruby">Book.where("title = ?", params[:title])
</code></pre>
EXCEPT! The <code>select</code> method doesn't allow you to do this. Additional parameters passed to the select method are just enumerated in the select clause:
<pre><code class="lang-ruby">select("blah", "dad").to_sql # =&gt; SELECT blah, dad FROM...
</code></pre>
So how do you escape input here so as to be safe from SQL injection?
Use <a target="_blank" href="https://api.rubyonrails.org/classes/ActiveRecord/Sanitization/ClassMethods.html#method-i-sanitize_sql_array"><code>ActiveRecord#sanitize_sql_array</code></a>:
<pre><code class="lang-ruby">sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4])
# =&gt; "name='foo''bar' and group_id=4"
</code></pre>
This will make our statement safe (or at least, much safer than before) and we can move on!
<pre><code class="lang-ruby">def self.with_similarity_to(cpu)
 select(sanitize_sql_array(["similarity(cpu, ?) as similarity", cpu]), '*')
end
</code></pre>
Any other pro tips on how to handle this? Let me know!

Recently, we were trying to write a `similarity(...)` query in Postgres, and needed to pass in a parameter into a `SELECT` clause. Brakeman came back saying that we had a `Possible SQL Injection`. After looking at the code, we were directly interpolating the input into the SQL string, so it was absolutely right:

```ruby
def self.with_similarity_to(cpu)
  select("similarity(cpu, #{cpu}) as similarity", '*')
end
```

Typically to solve this kind of problem, you can use `?`s in your query and Rails will [replace them automatically](https://guides.rubyonrails.org/active_record_querying.html#array-conditions):

```ruby
Book.where("title = ?", params[:title])
```

EXCEPT! The `select` method doesn't allow you to do this. Additional parameters passed to the select method are just enumerated in the select clause:

```ruby
select("blah", "dad").to_sql # => SELECT blah, dad FROM...
```

So how do you escape input here so as to be safe from SQL injection?

Use [`ActiveRecord#sanitize_sql_array`](https://api.rubyonrails.org/classes/ActiveRecord/Sanitization/ClassMethods.html#method-i-sanitize_sql_array):

```ruby
sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4])
# => "name='foo''bar' and group_id=4"
```

This will make our statement safe (or at least, much safer than before) and we can move on!

```ruby
def self.with_similarity_to(cpu)
  select(sanitize_sql_array(["similarity(cpu, ?) as similarity", cpu]), '*')
end
```

Any other pro tips on how to handle this? Let me know!

Safe Rails Selects with Bound Parameters

Hone your Ruby on Rails craft.  Tips, tricks, and articles from a professional engineer with 10+ years of experience.
