Forum: Ruby on Rails Problems with getting correct id from query involving two tables

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Ken (Guest)
on 2008-12-09 18:37
(Received via mailing list)
I have a query that is intended to find all "transfers" based on a
condition the uses a second table. In the controller, it looks like

  def find_protocols
    @transfers = Transfer.find(:all, :from => "transfers,
protocols", :conditions => "transfers.protocol_id = AND = \"#{params[:protocol]}\"")
    respond_to do |format|
      format.html # index.html.erb
      format.xml  { render :xml => @transfers }

It works great, with one problem; the id's associated with the
rendered objects are "transfers.protocol_id" and not
"" (or at any rate, they are certainly not
""). Anyone have recommendations to fix this? I'd prefer
something that allows me to stay at the SQL level, because I am quite
comfortable working with the SQL queries.

Many thanks,
Andy K. (Guest)
on 2008-12-09 18:42
(Received via mailing list)
you add...

:select => "transfers.*"
Kenneth McDonald (Guest)
on 2008-12-09 19:27
(Received via mailing list)
Thanks. I also found that reversing the order of the tables worked,
but the select will be a lot more reliable.

Maurício L. (Guest)
on 2008-12-09 19:32
(Received via mailing list)
You should NEVER do this:

   @transfers = Transfer.find(:all, :from => "transfers, protocols",
:conditions => "transfers.protocol_id = AND = \"#{params[:protocol]}\"")

You're opening up your site for SQL injection attacks, do it using
placeholder variables:

   @transfers = Transfer.find(:all, :from => "transfers, protocols",
:conditions => ["transfers.protocol_id = AND = ?", params[:protocol] ])

Maurício Linhares (pt-br) |
This topic is locked and can not be replied to.