I'm new to Ruby on Rails and I'm using a form_helper to create and update records. In the form below, I'm collecting information to save data for maps that users can create. The :name field is the name that user gives to a map. It's saved to a MySQL table into a field that is varchar(255).
If I name a map "John's Map", it appears in both the database and in the view as
John's Map
How can I prevent this from happening, and is my code susceptible to SQL injection with this approach?
I've seen some responses related to Python and PHP, but I wasn't sure about Rails. I'm using Virtualmin to create tables, so any responses that let me address the issue within Virtualmin would be much appreciated. Thanks!
From View
<% form_for @newsavedmap, :html=>{:id=>'createaMap'} do |f| %>
<%= f.error_messages %>
<% if params[:newsavedmap_id] %>
<%= f.text_field :name, {:id=>"savemap_name", :size=>30, :value=> @newsavedmap.name }%></p>
<% else %>
<%= f.text_field :name, {:id=>"savemap_name", :size=>30, :value=>"New Map"}%></p>
<% end %>
Database Table Details
DROP TABLE IF EXISTS `newsavedmaps`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `newsavedmaps` (
FIELDSAREALLLISTEDHERE
`name` varchar(255) DEFAULT NULL,
) ENGINE=InnoDB AUTO_INCREMENT=159 DEFAULT CHARSET=utf8;
/*!40101 SET character_set_client = @saved_cs_client */;
Other tables in the database display the apostrophe. For example, I have another form that looks like the below, and when a user enters a name with an apostrophe, the apostrophe appears as an apostrophe in the table.
<form id="createitem" action="/saveditems" method="post">
<label for="saveditem_name">Item Title</label>
<%= text_field :saveditem, :name %>
That table's structure:
DROP TABLE IF EXISTS `saveditems`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `saveditems` (
FIELDSAREALLLISTEDHERE
`name` varchar(255) NOT NULL,
) ENGINE=MyISAM AUTO_INCREMENT=8418 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
Edit 1
I used ALTER TABLE newsavedmaps CONVERT TO CHARACTER SET latin1; and my newsavedmaps table now looks like this:
DROP TABLE IF EXISTS `newsavedmaps`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `newsavedmaps` (
FIELDS ALL LISTED HERE
) ENGINE=InnoDB AUTO_INCREMENT=248 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
The apostrophes now appear correctly in the database, but they still show up in the view as strange characters. Any ideas? Could this have anything to do with this: https://github.com/rails/rails/issues/9108