search for a vehicle by vin, make, model, or year, plus sql sanitization

2026-04-02 07:01:59 -04:00 · 2026-02-21 08:33:59 -05:00
parent a73b6cd438
commit 6db87dd551
3 changed files with 6 additions and 5 deletions
--- a/app/models/vehicle.rb
+++ b/app/models/vehicle.rb
@@ -50,9 +50,10 @@ class Vehicle < ActiveRecord::Base
    write_attribute(:vin, val)
  end
-  # search for a vin
+  # search for a vehicle by vin, make, model, or year
-  def self.search(search)
+  def self.search(query)
-    where("vin LIKE ?", "%#{search}%")
+    q = sanitize_sql_like(query)
    where("vin LIKE ? OR make LIKE ? OR model LIKE ? OR year LIKE ?", "%#{q}%", "%#{q}%", "%#{q}%", "%#{q}%") 
  end
  # decodes a vin and updates self
--- a/app/views/vehicles/_search.html.erb
+++ b/app/views/vehicles/_search.html.erb
@@ -1,4 +1,4 @@
 <%= form_tag(vehicles_path, method: "get", id: "search-form") do %>
-  <%= text_field_tag :search, params[:search], placeholder: t(:label_search_vin), autocomplete: "off" %>
+  <%= text_field_tag :search, params[:search], placeholder: t(:label_search), autocomplete: "off" %>
  <%= submit_tag t(:label_search) %>
 <% end %>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -28,7 +28,7 @@ en:
  label_model: "Model"
  label_new_vehicle: "New Customer Vehicle"
  label_no_vehicles: "There are no vehicles containing the term(s)"
-  label_search_vin: "Search Vehicles by VIN"
+  label_search: "Search Vehicles"
  label_year: "Year"
  no_customer: "Customer no longer exists"
  notice_vehicle_created: "Vehicle was successfully created."