Is ActiveRecord's “order” method vulnerable to SQL injection?

Question

I know it\'s not safe to use interpolated strings when calling .where.

e.g. this:

Client.where(\"orders_count = #{params[:orders]}\")

Answer 1

Let's try this!

# app/models/concern/ext_active_record.rb
module ExtActiveRecord
    extend ActiveSupport::Concern

    included do
        scope :sortable, -> (params) do
            return unless params[:sort_by] && params[:sort_dir]
            reorder("#{params[:sort_by]}" => "#{params[:sort_dir]}")
        end
    end
end

# app/models/user.rb
class User < ActiveRecord::Base
    include ExtActiveRecord
    # ....
end

# app/controllers/user_controller.rb
class UserController < ApplicationController
    def index
        @users = User.sortable(params).page(params[:page]).per(params[:per])
    end
end