The problem here is that update_all doesn’t actually sanitize the
value passed to the ‘updates’ parameter. Your particular example will
work if you change just surround the #{@album} in single quotes, but
that’s obviously not going to address the broader problem. Rather,
you’ll need to do something like the following:
The basic idea is to retrieve all the records to be updated first (or
for better performance just the list of IDs to be updated), and then
use the ActiveRecord::Base methods that actually know how to sanitize
input.
The problem here is that update_all doesn’t actually sanitize the
value passed to the ‘updates’ parameter.
It can do if you give it a chance, eg TempRoyaltyReport.update_all
([“artist_name=?”, @artist_name]) or TempRoyaltyReport.update_all
( :artist_name => @artist_name). Just like the conditions you pass to
find.
sorry fred i’m unable to reproduce same error.
So i start with another one…
params[:album]=“Bust a Move (12” Remixes) - EP"
TempRoyaltyReport.update_all(“artist_name=#{@artist},album_name
=#{@album},upc = #{params[:upc]},status = ‘corrected’”, “artist_name =
“#{@corrected_artist.artist_name}” and album_name =
“#{@corrected_artist.album_name}” and upc =
‘#{@corrected_artist.upc}’”)
And I get following error
Mysql::Error: #42000You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near ‘Remixes) - EP",upc = 829357903914,status =
‘corrected’ WHERE (artist_name = "VAR’ at line 1: UPDATE
temp_royalty_reports SET artist_name=“Young MC”,album_name =“Bust a Move
(12” Remixes) - EP",upc = 829357903914,status = ‘corrected’ WHERE
(artist_name = “VARIOUS ARTISTS” and album_name = “RMXXOLOGY DELUXE” and
isrc = ‘USDE10801060’)
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.