SELECT * FROM people WHERE (phone like “%‘555’%” )
ERROR :
model = “555”
conditions = [“value like ‘%?%’”,model] ==> WHERE (phone
like “%‘555’%” )
What’s the write way to write this query?
The way that works Actually you can do this:
“value like ?”, “%#{model}%”
or equivalent, but I’d rather do “value like ‘%#{model}%’” in the
first place (unless there’s an advantage to the ? technique that I’m
not taking into account).
to prevent problems. Model might contains a question mark or perhaps worse:
quotes.
Even if you know model never to contain special characters it is better to
get used to the form above. Next time, model is a value entered by a user,
leaving your site open for sql code injection attacks.
Indeed – I wasn’t factoring in the escape mechanism.
to prevent problems. Model might contains a question mark or perhaps
worse: quotes.
Even if you know model never to contain special characters it is better
to get used to the form above. Next time, model is a value entered by a
user, leaving your site open for sql code injection attacks.
Another advantage is performance. Some databases cache compiled queries.
When you put ‘model’ directly in the query, the query will be different
everytime making caching impossible.
Erik.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.