DEV Community

Cover image for TLDR - Basic search field with Ruby on Rails
Yaroslav Shmarov
Yaroslav Shmarov

Posted on • Originally published at blog.corsego.com on

TLDR - Basic search field with Ruby on Rails

MISSION: field to search for user email that contains characters. Example:

search-field.png

users_controller.rb

  def index
    if params[:email]
      @users = User.where('email ILIKE ?', "%#{params[:email]}%").order(created_at: :desc) #case-insensitive
    else
      @users = User.all.order(created_at: :desc)
    end
  end

Enter fullscreen mode Exit fullscreen mode

any view (users/index.html.haml or in a bootstrap navbar)

.form-inline.my-2.my-lg-0
  = form_tag(courses_path, method: :get) do
    .input-group
      = text_field_tag :title, params[:title], autocomplete: 'off', placeholder: "Find a course", class: 'form-control-sm'
      %span.input-group-append
        %button.btn.btn-primary.btn-sm{:type => "submit"}
          %span.fa.fa-search{"aria-hidden" => "true"}

Enter fullscreen mode Exit fullscreen mode

.html.erb without bootstrap

<%= form_tag(users_path, method: :get) do %>
  <%= text_field_tag :email, params[:email], autocomplete: 'off', placeholder: "user email" %>
  <%= submit_tag "Search" %>
<% end %>

Enter fullscreen mode Exit fullscreen mode

That's it! Looks nice, doesn't it?

Top comments (4)

Collapse
 
codeandclay profile image
Oliver

I'm a bit rusty so need reminding. Is User.where('email ILIKE ?', "%#{params[:email]}%") safe from injection attack?

Collapse
 
djuber profile image
Daniel Uber • Edited

I believe the SQL sanitation happens when you use a positional variable ? rather than the (more obvious) direct string interpolation:

      @users = User.where("email ILIKE \"%#{params[:email]}%\"").order(created_at: :desc) # unsafe/unsanitized
Enter fullscreen mode Exit fullscreen mode

A little unsure on how/where that's happening, but it might be happening in the calls to sanitize_sql in build_where_clause and related query builder steps apidock.com/rails/v6.1.3.1/ActiveR...

It's documented in the security guide, guides.rubyonrails.org/security.ht... and in the query guide guides.rubyonrails.org/active_reco... and the "don't build strings yourself" bad example is more or less the same as above.

Collapse
 
codeandclay profile image
Oliver

What's the markup in the second example? It doesn't look like erb or HTML.

Collapse
 
superails profile image
Yaroslav Shmarov

Good that you mentioned! I've updated the post to mention that it's HAML.