On Jan 18, 6:20 pm, Jeremy Evans <[email protected]> wrote: > On Jan 18, 12:17 pm, Glen <[email protected]> wrote: > > > So, I'm experiencing what I would describe as inconsistent behavior > > from the oracle adapter. > > > I can create a Sequel::Oracle::Database object without issue. > > However, when I try executing a raw query with .run I get nil: > > > oracle.run(query + "'#{user}'") > > Database#run should only be used for DDL statements. You probably > want: > > oracle[query + "'#{user}'"].all > > I second rohit's advice of using the Sequel DSL, or at the very least > using placeholders instead of string concatenation. Your example code > is just asking for SQL injection if the user variable is based on user > input. > > Jeremy
Thanks guys, The query is actually being generated by a stored procedure and I'm picking it up so sending it is a lot easier than parsing it. However, I should be using placeholders. The data is coming straight out of an LDAP but that's still no reason to pass it in directly. -Glen -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en.
