In my controller action, I have the following:
def index
@articles = (params[:mine] == "true") ? current_user.articles : Article.search(params[:search])
@articles = @articles.sort! { |a,b| b.created_at <=> a.created_at }
@articles = Kaminari.paginate_array(@articles).page(params[:page]).per(25)
respond_to do |format|
format.html
format.json { render json: @articles }
end
end
And in the model:
def self.search(search)
if search.present?
where("category LIKE ? OR article_type LIKE ?", "%#{search}%","%#{search}%")
else
find(:all)
end
end
I understand that SQL injection would be possible if you use params directly in a query. Here, I'm passing params directly to the where query through Article.search(params[:search])
. Is this prone to SQL injection? If it is, how can I make it more secure? I also have my doubts if I've written the controller code properly. If you have suggestions in refactoring the controller code, please do let me know and they'll be very much appreciated. Thanks a lot!