Attributes not being santised

Farrel · April 14, 2008, 2:37pm

I’m using a postgres database and have run into problems where
attributes on a model are not sanitised correctly before being saved.
The following code:

comment = Comment.new( :item => item )
comment.comment = “dog’s breakfast”
comment.save

Produces the following incorrect SQL in my logs:
SELECT id FROM comments WHERE (item_id = 38 and comment = ‘Dog’s
breakfast’ and subscriber_id = ‘90’)

As you can see the ’ in “Dog’s breakfast” is causing issues. How do I
ensure this is sanitised correctly?

Farrel · April 14, 2008, 3:20pm

On 14 Apr 2008, at 13:36, Farrel wrote:

SELECT id FROM comments WHERE (item_id = 38 and comment = ‘Dog’s
breakfast’ and subscriber_id = ‘90’)

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

Farrel · April 14, 2008, 3:25pm

On Apr 14, 3:19 pm, Frederick C. [email protected]
wrote:

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

I’m not sure, it seems to be done by Rails.

Farrel

Farrel · April 14, 2008, 3:43pm

On 14 Apr 2008, at 14:24, Farrel wrote:

On Apr 14, 3:19 pm, Frederick C. [email protected]
wrote:

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

I’m not sure, it seems to be done by Rails.

The obivous way to do it is to delete your development.log file, open
up the console and whack in what you had before (and only that) and
see what’s in the logs after.

Fred

Farrel · April 14, 2008, 3:45pm

On Apr 14, 3:30 pm, Frederick C. [email protected]
wrote:

The obivous way to do it is to delete your development.log file, open
up the console and whack in what you had before (and only that) and
see what’s in the logs after.

Fred

I did that and it still does a select before doing an insert. Again
not sure why, but that is secondary to my question about the ’ not
being sanitised in the attribute.

Farrel

Farrel · April 14, 2008, 9:49pm

On Apr 14, 2008, at 9:40 AM, Farrel wrote:

not sure why, but that is secondary to my question about the ’ not
being sanitised in the attribute.

Farrel

Do you have any validations on the model? In particular,
validates_uniqueness_of will cause “select before insert”

-Rob

Rob B. http://agileconsultingllc.com
[email protected]

Farrel · April 15, 2008, 9:10am

Farrel wrote:

I’m using a postgres database and have run into problems where
attributes on a model are not sanitised correctly before being saved.
The following code:

comment = Comment.new( :item => item )
comment.comment = “dog’s breakfast”
comment.save

Produces the following incorrect SQL in my logs:
SELECT id FROM comments WHERE (item_id = 38 and comment = ‘Dog’s
breakfast’ and subscriber_id = ‘90’)

As you can see the ’ in “Dog’s breakfast” is causing issues. How do I
ensure this is sanitised correctly?

you could sanitize it yourself (?)

Farrel · April 15, 2008, 12:16pm

On Apr 15, 9:10 am, Roger P. [email protected]
wrote:

you could sanitize it yourself (?)

That’s what I eventually did.

Farrel