From 6db87dd551e019616a1fcf9b4d7fa79a364ffbd2 Mon Sep 17 00:00:00 2001 From: Rick Barrette Date: Sat, 21 Feb 2026 08:33:59 -0500 Subject: [PATCH] search for a vehicle by vin, make, model, or year, plus sql sanitization --- app/models/vehicle.rb | 7 ++++--- app/views/vehicles/_search.html.erb | 2 +- config/locales/en.yml | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/app/models/vehicle.rb b/app/models/vehicle.rb index c2d7c75..de57649 100644 --- a/app/models/vehicle.rb +++ b/app/models/vehicle.rb @@ -50,9 +50,10 @@ class Vehicle < ActiveRecord::Base write_attribute(:vin, val) end - # search for a vin - def self.search(search) - where("vin LIKE ?", "%#{search}%") + # search for a vehicle by vin, make, model, or year + def self.search(query) + q = sanitize_sql_like(query) + where("vin LIKE ? OR make LIKE ? OR model LIKE ? OR year LIKE ?", "%#{q}%", "%#{q}%", "%#{q}%", "%#{q}%") end # decodes a vin and updates self diff --git a/app/views/vehicles/_search.html.erb b/app/views/vehicles/_search.html.erb index 27ba490..8844d06 100644 --- a/app/views/vehicles/_search.html.erb +++ b/app/views/vehicles/_search.html.erb @@ -1,4 +1,4 @@ <%= form_tag(vehicles_path, method: "get", id: "search-form") do %> - <%= text_field_tag :search, params[:search], placeholder: t(:label_search_vin), autocomplete: "off" %> + <%= text_field_tag :search, params[:search], placeholder: t(:label_search), autocomplete: "off" %> <%= submit_tag t(:label_search) %> <% end %> diff --git a/config/locales/en.yml b/config/locales/en.yml index ab5e2f9..abba34a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -28,7 +28,7 @@ en: label_model: "Model" label_new_vehicle: "New Customer Vehicle" label_no_vehicles: "There are no vehicles containing the term(s)" - label_search_vin: "Search Vehicles by VIN" + label_search: "Search Vehicles" label_year: "Year" no_customer: "Customer no longer exists" notice_vehicle_created: "Vehicle was successfully created."