Attributes not being santised

I’m using a postgres database and have run into problems where
attributes on a model are not sanitised correctly before being saved.
The following code:

comment = Comment.new( :item => item )
comment.comment = “dog’s breakfast”
comment.save

Produces the following incorrect SQL in my logs:
SELECT id FROM comments WHERE (item_id = 38 and comment = ‘Dog’s
breakfast’ and subscriber_id = ‘90’)

As you can see the ’ in “Dog’s breakfast” is causing issues. How do I
ensure this is sanitised correctly?

On 14 Apr 2008, at 13:36, Farrel wrote:

SELECT id FROM comments WHERE (item_id = 38 and comment = ‘Dog’s
breakfast’ and subscriber_id = ‘90’)

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

On Apr 14, 3:19 pm, Frederick C. [email protected]
wrote:

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

I’m not sure, it seems to be done by Rails.

Farrel

On 14 Apr 2008, at 14:24, Farrel wrote:

On Apr 14, 3:19 pm, Frederick C. [email protected]
wrote:

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

I’m not sure, it seems to be done by Rails.

The obivous way to do it is to delete your development.log file, open
up the console and whack in what you had before (and only that) and
see what’s in the logs after.

Fred

On Apr 14, 3:30 pm, Frederick C. [email protected]
wrote:

The obivous way to do it is to delete your development.log file, open
up the console and whack in what you had before (and only that) and
see what’s in the logs after.

Fred

I did that and it still does a select before doing an insert. Again
not sure why, but that is secondary to my question about the ’ not
being sanitised in the attribute.

Farrel

On Apr 14, 2008, at 9:40 AM, Farrel wrote:

not sure why, but that is secondary to my question about the ’ not
being sanitised in the attribute.

Farrel

Do you have any validations on the model? In particular,
validates_uniqueness_of will cause “select before insert”

-Rob

Rob B. http://agileconsultingllc.com
[email protected]

Farrel wrote:

I’m using a postgres database and have run into problems where
attributes on a model are not sanitised correctly before being saved.
The following code:

comment = Comment.new( :item => item )
comment.comment = “dog’s breakfast”
comment.save

Produces the following incorrect SQL in my logs:
SELECT id FROM comments WHERE (item_id = 38 and comment = ‘Dog’s
breakfast’ and subscriber_id = ‘90’)

As you can see the ’ in “Dog’s breakfast” is causing issues. How do I
ensure this is sanitised correctly?

you could sanitize it yourself (?)

On Apr 15, 9:10 am, Roger P. [email protected]
wrote:

you could sanitize it yourself (?)

That’s what I eventually did.

Farrel

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs