Double Quotes Problem in mysql

salil · April 10, 2009, 12:56pm

Hi All,
I am using following code to find the artist
@actual_artist=Artist.find_by_name(params[:record][:artist_name])
—Line A

my problem is that i receive da ta like
params[:record][:artist_name]=“Acg”"

so my application crashes on Line A.
How to avoid it …

Thanx in Advance

Salil

salil · April 10, 2009, 1:20pm

On Apr 10, 11:56 am, Salil G. [email protected]
wrote:

Hi All,
I am using following code to find the artist
@actual_artist=Artist.find_by_name(params[:record][:artist_name])
—Line A

my problem is that i receive da ta like
params[:record][:artist_name]=“Acg"”

so my application crashes on Line A.

What error do you get ?

Fred

salil · April 11, 2009, 6:16pm

The problem here is that update_all doesn’t actually sanitize the
value passed to the ‘updates’ parameter. Your particular example will
work if you change just surround the #{@album} in single quotes, but
that’s obviously not going to address the broader problem. Rather,
you’ll need to do something like the following:

records = Find(:all, :conditions => {:artist_name =>
@corrected_artist.artist_name, :album_name =>
@corrected_artist.album_name, :upc => corrected_artist.upc})
records.each {|r| r.update_attributes({:artist => @artist, :album_name
=> @album, :upc => params[:upc], :status => ‘corrected’})

The basic idea is to retrieve all the records to be updated first (or
for better performance just the list of IDs to be updated), and then
use the ActiveRecord::Base methods that actually know how to sanitize
input.

On Apr 11, 4:48 am, Salil G. [email protected]

salil · April 11, 2009, 6:53pm

On Apr 11, 5:16 pm, pharrington [email protected] wrote:

The problem here is that update_all doesn’t actually sanitize the
value passed to the ‘updates’ parameter.

It can do if you give it a chance, eg TempRoyaltyReport.update_all
([“artist_name=?”, @artist_name]) or TempRoyaltyReport.update_all
( :artist_name => @artist_name). Just like the conditions you pass to
find.

Fred

salil · April 11, 2009, 7:13pm

Don’t know why i didn’t know this. Thanks!

On Apr 11, 12:52 pm, Frederick C. [email protected]

salil · April 11, 2009, 10:48am

What error do you get ?

Fred

sorry fred i’m unable to reproduce same error.
So i start with another one…

params[:album]=“Bust a Move (12” Remixes) - EP"

TempRoyaltyReport.update_all(“artist_name=#{@artist},album_name
=#{@album},upc = #{params[:upc]},status = ‘corrected’”, “artist_name =
“#{@corrected_artist.artist_name}” and album_name =
“#{@corrected_artist.album_name}” and upc =
‘#{@corrected_artist.upc}’”)

And I get following error

Mysql::Error: #42000You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ‘Remixes) - EP",upc = 829357903914,status =
‘corrected’ WHERE (artist_name = "VAR’ at line 1: UPDATE
temp_royalty_reports SET artist_name=“Young MC”,album_name =“Bust a Move
(12” Remixes) - EP",upc = 829357903914,status = ‘corrected’ WHERE
(artist_name = “VARIOUS ARTISTS” and album_name = “RMXXOLOGY DELUXE” and
isrc = ‘USDE10801060’)