MISSION: field to search for user email that contains characters. Example:
users_controller.rb
def index
if params[:email]
@users = User.where('email ILIKE ?', "%#{params[:email]}%").order(created_at: :desc) #case-insensitive
else
@users = User.all.order(created_at: :desc)
end
end
any view (users/index.html.haml or in a bootstrap navbar)
.form-inline.my-2.my-lg-0
= form_tag(courses_path, method: :get) do
.input-group
= text_field_tag :title, params[:title], autocomplete: 'off', placeholder: "Find a course", class: 'form-control-sm'
%span.input-group-append
%button.btn.btn-primary.btn-sm{:type => "submit"}
%span.fa.fa-search{"aria-hidden" => "true"}
.html.erb without bootstrap
<%= form_tag(users_path, method: :get) do %>
<%= text_field_tag :email, params[:email], autocomplete: 'off', placeholder: "user email" %>
<%= submit_tag "Search" %>
<% end %>
That's it! Looks nice, doesn't it?
Top comments (4)
I'm a bit rusty so need reminding. Is
User.where('email ILIKE ?', "%#{params[:email]}%")safe from injection attack?I believe the SQL sanitation happens when you use a positional variable
?rather than the (more obvious) direct string interpolation:A little unsure on how/where that's happening, but it might be happening in the calls to
sanitize_sqlin build_where_clause and related query builder steps apidock.com/rails/v6.1.3.1/ActiveR...It's documented in the security guide, guides.rubyonrails.org/security.ht... and in the query guide guides.rubyonrails.org/active_reco... and the "don't build strings yourself" bad example is more or less the same as above.
What's the markup in the second example? It doesn't look like erb or HTML.
Good that you mentioned! I've updated the post to mention that it's HAML.