Topic: How to sanitize user supplied date params outside ActiveRecord?

I see that sanitizing user supplied params can easily be done as part of an ActiveRecord query. Games.where( :myfield => ?, myparam) or something like that.

I have many queries using several joins, several conditions and selected fields from the joined tables. Currently I have them as find by sql using the sql from a previous app in delphi. The parameter com comes into the sql in #{}. Mostly, I define a self method in a model on pass the params as part of the call to the method from a controller.

I have a lot of date params using user selected dates for my queries. I have been trying to validate them in filters so as to redirect the user before the code gets to the query if the param is not a date. Of particular concern is sql injection. I might have thought I could call my_var = params[:report_date].sanitize. It seems the only way I can find to sanitize the param against sql injection is to use it as part of an AR find as above. My understanding is that anything that goes in a sql or where string using #{} is not sanitized. Is this correct?

I have been trying to use Date.strptime to validate my incoming dates and pick up invalid dates on rescue but this does not seems to be working. Date.strptime seems to parse a blank date param in a way that seems to pass a regex test.

In my particular case I want to validate a date param, then check if there are any games for a date param before calling the module with the main query.  Then I can redirect to another page if the date has no games.

Checking the games for the date still requires a 3 table join up through league and sport. Its easy to write this query as find_by_sql but I can't manage to get the syntax right but I have asked for help with that in another thread.