Ruby has a super ergonomic syntax for string interpolation. This can make it
tempting to build up ActiveRecord where clauses like so:
def get_book_by_title(title)
Book.where("lower(title) = #{title.downcase}")
endThe where clause, as written, is vulnerable to a SQL injection attack.
There are two kinds of placeholder syntax that you can use instead handle sanitization of the SQL.
def get_book_by_title(title)
Book.where("lower(title) = ?", title.downcase)
endYou can use multiple ? in the query and they same number of following
arguments will be interpolated in order.
There is also the keyword placeholder syntax which can give you more flexibility and make the SQL read more clearly.
def get_book_by_title(title)
Book.where("lower(title) = :title", title: title.downcase)
end