
LIKE injection - mastahyeti
http://githubengineering.com/like-injection/
======
acconrad
Perhaps Github isn't on Rails 4.2, but they've already created a method for
sanitizing SQL like statements in ActiveRecord::Sanitization[1], so they
shouldn't need a custom function to remove SQL injection. Also, you could
always just use ActiveRecord::Base.connection.quote which will safely quote
the string you want to input.

[1]
[http://apidock.com/rails/ActiveRecord/Sanitization/ClassMeth...](http://apidock.com/rails/ActiveRecord/Sanitization/ClassMethods/sanitize_sql_like)

~~~
_jomo
ActiveRecord::Base.connection.quote doesn't escape % or any other LIKE-special
character.

------
_jomo
The LIKE query '%64%68%6f%6d%65%73@%67%6d%61%69%6c.%63%6f%6d%' wasn't an
injection attempt, it's just a URL-encoded email address. Most likely it was
accidentally double-encoded in the search URL for some reason, so it ended up
still encoded in the SQL query.

------
benjojo12
I actually had this issue in a chat room bot where people would do exactly
this to attempt (and in some cases succeed) in a DoS against the database

