Re: [Rails] Re: find conditions issue

Tue, 30 Mar 2010 00:24:19 -0700 

Why did you altered Jeffrey's code.
He gave you a good advice

In the "Agile Web Development with Rails" you can find this: Rails doesn't 
parse the SQL inside a condition and so doesn't substitute the #{name}

According to the same book, you should always use the ["title = ?", name] 
notation as opposed to ["title = #{name}"]. It's gives you a security belt. By 
doing this, Active Record will try to avoid some SQl injection attack.

Christophe

Le 30 mars 2010 à 05:44, Leah Antkiewicz a écrit :

> Jeffrey L. Taylor wrote:
>> Quoting Leah Antkiewicz <[email protected]>:
>>> Rolling Rock. I tried the following but it doesn't work:
>>> @find = Product.find(:first, :conditions => ["title.include?
>>> '#{name}'"])
>>> 
>>> I get this error:
>>> ActiveRecord::StatementInvalid in SearchController#results
>>> Mysql::Error: You have an error in your SQL syntax; check the manual
>>> that corresponds to your MySQL server version for the right syntax to
>>> use near 'include'#{name}')  LIMIT 1' at line 1: SELECT * FROM
>>> `products` WHERE (title include'#{name}')  LIMIT 1
>>> 
>> 
>> @find = Product.find(:first, :conditions => ["title like '?'", 
>> "%#{name}%"])
>> 
>> This code is untested, but I would expect to work.
>> 
>> Jeffrey
> 
> Thanks for the help Jeffrey but I still get the same error that I posted 
> above. I altered your code to this:
> @find = Product.find(:all, :conditions => ["title LIKE '#{name}'"])
> and got it to work when I enter the full name again but when I add in 
> the % signs it tells me:
> @find = Product.find(:all, :conditions => ["title LIKE '%#{name}%'"])
> malformed format string - %R
> 
> Any suggestions on why the % doesn't work?
> -- 
> Posted via http://www.ruby-forum.com/.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ruby on Rails: Talk" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to 
> [email protected].
> For more options, visit this group at 
> http://groups.google.com/group/rubyonrails-talk?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-talk?hl=en.

Reply via email to