I have the following Arel SQL:
Arel.sql("(users.last_donated_at IS NOT NULL AND users.last_donated_at < '#{User::ACTIVE_DONOR_WITHIN_DAYS.days.ago}')")
I get SQL Injection warning when I run brakeman. I tried the following:
Arel.sql("(users.last_donated_at IS NOT NULL AND users.last_donated_at < ?)", User::ACTIVE_DONOR_WITHIN_DAYS.days.ago)
However, I get the following error:
ArgumentError:
wrong number of arguments (given 2, expected 1)
How do I sanitize sql statement with Arel?
Advertisement
Answer
I am answering my own question. I am using Arel following the Github wiki for Ransack gem. I was doing something very similar to point # 2.2 mentioned on doc: https://github.com/activerecord-hackery/ransack/wiki/Using-Ransackers.
In order to sanitize the params and avoid brakeman sql injection warning, I ended up doing the following:
Arel.sql(sanitize_sql_array("(users.last_donated_at IS NOT NULL AND users.last_donated_at < '#{User::ACTIVE_DONOR_WITHIN_DAYS.days.ago}')"))