Forum: Ruby on Rails Double Quotes Problem in mysql

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Salil G. (Guest)
on 2009-04-10 14:56
Hi All,
   I am using following code to find the artist
@actual_artist=Artist.find_by_name(params[:record][:artist_name])
---Line A

my problem is that i receive da ta like
params[:record][:artist_name]="Acg\""

so my application crashes on Line A.
How to avoid it ....

Thanx in Advance

Salil
Frederick C. (Guest)
on 2009-04-10 15:20
(Received via mailing list)
On Apr 10, 11:56 am, Salil G. <removed_email_address@domain.invalid>
wrote:
> Hi All,
>    I am using following code to find the artist
> @actual_artist=Artist.find_by_name(params[:record][:artist_name])
> ---Line A
>
> my problem is that i receive da ta like
> params[:record][:artist_name]="Acg\""
>
> so my application crashes on Line A.

What error do you get ?

Fred
Salil G. (Guest)
on 2009-04-11 12:48
>
> What error do you get ?
>
> Fred

sorry fred i'm unable to reproduce same error.
So i start with another one..........

params[:album]="Bust a Move (12\" Remixes) - EP"

TempRoyaltyReport.update_all("artist_name=#{@artist},album_name
=#{@album},upc = #{params[:upc]},status = 'corrected'", "artist_name =
\"#{@corrected_artist.artist_name}\" and album_name =
\"#{@corrected_artist.album_name}\" and upc =
'#{@corrected_artist.upc}'")


And I get following error

Mysql::Error: #42000You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'Remixes) - EP",upc = 829357903914,status =
'corrected' WHERE (artist_name = "VAR' at line 1: UPDATE
temp_royalty_reports SET artist_name="Young MC",album_name ="Bust a Move
(12" Remixes) - EP",upc = 829357903914,status = 'corrected' WHERE
(artist_name = "VARIOUS ARTISTS" and album_name = "RMXXOLOGY DELUXE" and
isrc = 'USDE10801060')
pharrington (Guest)
on 2009-04-11 20:16
(Received via mailing list)
The problem here is that update_all doesn't actually sanitize the
value passed to the 'updates' parameter. Your particular example will
work if you change just surround the #{@album} in single quotes, but
that's obviously not going to address the broader problem. Rather,
you'll need to do something like the following:

records = Find(:all, :conditions => {:artist_name =>
@corrected_artist.artist_name, :album_name =>
@corrected_artist.album_name, :upc => corrected_artist.upc})
records.each {|r| r.update_attributes({:artist => @artist, :album_name
=> @album, :upc => params[:upc], :status => 'corrected'})

The basic idea is to retrieve all the records to be updated first (or
for better performance just the list of IDs to be updated), and *then*
use the ActiveRecord::Base methods that actually know how to sanitize
input.

On Apr 11, 4:48 am, Salil G. <removed_email_address@domain.invalid>
Frederick C. (Guest)
on 2009-04-11 20:53
(Received via mailing list)
On Apr 11, 5:16 pm, pharrington <removed_email_address@domain.invalid> wrote:
> The problem here is that update_all doesn't actually sanitize the
> value passed to the 'updates' parameter.

It can do if you give it a chance, eg TempRoyaltyReport.update_all
(["artist_name=?", @artist_name]) or TempRoyaltyReport.update_all
( :artist_name => @artist_name). Just like the conditions you pass to
find.

Fred
pharrington (Guest)
on 2009-04-11 21:13
(Received via mailing list)
Don't know why i didn't know this. Thanks!

On Apr 11, 12:52 pm, Frederick C. <removed_email_address@domain.invalid>
This topic is locked and can not be replied to.