cuttable

Escape SQL injection when you order with params

Getting started

1. Add inside your Gemfile

  gem 'cuttable'

1. Include concern and execute default_order to set default order for sanitize_order method.

class User < ActiveRecord::Base
  include Cuttable        # include concern
  default_order 'id desc' # set default order for sanitize_order method
end

Usage

  # good queries
  params[:order] = 'id DESC'
  User.sanitize_order(params[:order])

  params[:order] = 'id, username DESC'
  User.sanitize_order(params[:order])

  # bad query
  params[:order] = 'id, (select sleep(2000) from dual where database() like database())#'
  # it should back off to the default query you set with default_order
  User.sanitize_order(params[:order])