Skip to content

Fix LIKE predicates wildcard escaping for SQLite and other non-MySQL/PostgreSQL databases #1583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix LIKE predicates wildcard escaping for SQLite and other non-MySQL/PostgreSQL databases #1583

wants to merge 2 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 24, 2025
edited
Loading

Problem

Ransack's LIKE-based predicates (*_cont, *_not_cont, *_start, *_end, etc.) were not properly escaping wildcard characters (%, _, \) in SQLite and other non-MySQL/PostgreSQL databases. This caused unintended matches when search values contained these special characters.

For example, searching for %_ would match any record due to the wildcards being treated as SQL pattern characters instead of literal characters:

# Before fix - matches all records in SQLite
Product.ransack(name_cont: '%_').result
# Generated SQL: WHERE "products"."name" LIKE '%%_%'

Solution

This PR implements consistent wildcard escaping across all database adapters by:

  1. Replacing adapter-specific escaping logic with ActiveRecord::Base.sanitize_sql_like in the escape_wildcards method
  2. Adding automatic ESCAPE clause detection to include ESCAPE '\' when escaped wildcards are present in LIKE predicates
  3. Updating tests to expect proper escaping behavior for all database adapters

Changes

Core Implementation

  • lib/ransack/constants.rb: Updated escape_wildcards to use Rails' built-in sanitize_sql_like method
  • lib/ransack/nodes/condition.rb: Enhanced format_predicate to automatically add ESCAPE clause when needed

Test Updates

  • spec/ransack/predicate_spec.rb: Updated test expectations for SQLite to include ESCAPE clauses and added comprehensive wildcard escaping test coverage

After Fix

# Now works correctly - only matches records containing literal '%_'
Product.ransack(name_cont: '%_').result
# Generated SQL: WHERE "products"."name" LIKE '%\%\_%' ESCAPE '\'

Verification

  • ✅ All existing tests pass
  • ✅ New tests verify proper wildcard character handling
  • ✅ Original reproduction case now works correctly
  • ✅ No regressions in broader test suite
  • ✅ Consistent behavior across MySQL, PostgreSQL, SQLite, and other supported databases

This fix ensures that wildcard characters in search values are treated as literal characters consistently across all database adapters, making Ransack's search behavior predictable and secure.

Additional instructions:

ensure additional test coverage is added
refactor relevant code around the changes if useful

Fixes #1581

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI changed the title [WIP] LIKE predicates do not escape values in SQLite and other non-MySQL/PostgreSQL RDBMS Fix LIKE predicates wildcard escaping for SQLite and other non-MySQL/PostgreSQL databases Sep 24, 2025
Copilot finished work on behalf of scarroll32 September 24, 2025 14:05
@Copilot Copilot AI requested a review from scarroll32 September 24, 2025 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scarroll32 scarroll32 Awaiting requested review from scarroll32

Assignees

@scarroll32 scarroll32

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LIKE predicates do not escape values in SQLite and other non-MySQL/PostgreSQL RDBMS
2 participants
@Copilot @scarroll32