I try to set up a loop to put the data in the array into the oracle
data base by iteration.
Thus I put the variable into the sql query. I know this is no correct
for dynamic querying,
Can you give me some advise about how to do dynamic querying in ruby and
oracle?
Here is my wrong example. I hope this help you understand my question. I
really
appreciate your help…Thank you so much!!
for q in 0…4
s = Float(q)
conn.exec( ‘UPDATE SCH_EVENT SET P_ID = 2444334 where RANK= s AND
playlist_id=432’)
Good style is:
conn.exec( “UPDATE SCH_EVENT SET P_ID = 2444334 where RANK = :1 AND
playlist_id=432”, s)
The most efficient way in performance view is:
cursor = conn.parse( ‘UPDATE SCH_EVENT SET P_ID = 2444334 where RANK=
:1 AND playlist_id=432’)
for q in 0…4
s = Float(q)
cursor.exec(s)
end
cursor.close
Don’t sacrifice clarity for small gains in “efficiency”.
~ - The Elements of Programming Style (Kernighan & Plaugher)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Converting to a number type before using the value is injection safe.
I wonder how
you are going to convince #to_f (or #to_i )to return valid SQL code.
But: why don’t you just use prepared Statements?
Regards,
Florian G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Yeah… this is just a example…
but #{} does convert the variables into the SQL query,
to_f and to_i works~~
Thanks guys~
-Erick
Florian G. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 30, 2008, at 6:37 PM, Phillip G. wrote:
Converting to a number type before using the value is injection safe.
I wonder how
you are going to convince #to_f (or #to_i )to return valid SQL code.
But: why don’t you just use prepared Statements?
Regards,
Florian G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
On Fri, May 30, 2008 at 1:04 AM, KUBO Takehiro [email protected] wrote:
How can you not still do insecure injection with this?
Well, if you use single quotes for your SQL string, you can’t because
either
the SQL library will quote the other arguments properly, or they’ll be
sent
to the database via some other mechanism than inclusion in the string.
As another example: There’s nothing inherently insecure about: