Skip to content

Fix wildcard escaping for SQLite and other databases #1660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
heyjosephme wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix wildcard escaping for SQLite and other databases #1660

heyjosephme wants to merge 1 commit into from

Conversation

@heyjosephme
Copy link

@heyjosephme heyjosephme commented Dec 13, 2025

Fixes #1581

Problem

SQLite and non-MySQL/PostgreSQL databases weren't escaping SQL wildcards (%, _, ) in LIKE queries, causing unintended matches.

Solution

Replace database-specific escaping with Rails' sanitize_sql_like method which works for all databases.

Changes

  • Simplified escape_wildcards method in lib/ransack/constants.rb
  • Updated test expectations for SQLite in spec/ransack/predicate_spec.rb
  • Changed from 13 lines of regex to 1 line using Rails built-in

Testing

  • ✅ All tests pass (8 examples, 0 failures)
  • ✅ Wildcard escaping now works correctly for SQLite

This is my first contribution to Ransack. Looking forward to feedback!

@heyjosephme
Fix wildcard escaping for SQLite and non-MySQL/PostgreSQL databases
aae6a82 
Previously, escape_wildcards only escaped special characters (%, _, \)
for MySQL and PostgreSQL, leaving SQLite and other databases vulnerable
to unintended wildcard matches in LIKE queries.

This commit replaces the database-specific escaping logic with Rails'
sanitize_sql_like method, which works consistently across all database
adapters.

Changes:
- Replaced database-specific regex with sanitize_sql_like
- Updated test expectations for SQLite to match correctly escaped output
- Simplified code from 13 lines to 1 line

Fixes activerecord-hackery#1581
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LIKE predicates do not escape values in SQLite and other non-MySQL/PostgreSQL RDBMS

1 participant

@heyjosephme