How to pass variable value to a sql query

Hi,
How can i pass a variable to a sql query like

rs = dbh.prepare("select *from status_check where id=204")
rs.execute

Instead of giving the value of id I want to make it dynamic ,where I can
pass the dynamic value of id fetched from database much like in PL/SQL .
How to do this .Anybody help !!

Pradeepta S. wrote:

Hi,
How can i pass a variable to a sql query like

rs = dbh.prepare("select *from status_check where id=204")
rs.execute

Instead of giving the value of id I want to make it dynamic ,where I can
pass the dynamic value of id fetched from database much like in PL/SQL .
How to do this .Anybody help !!

rs = dbh.prepare(“select *from status_check where id=#{value}”)
rs.execute

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 1, 2008, at 9:45 PM, Pradeepta S. wrote:

How to do this .Anybody help !!

Posted via http://www.ruby-forum.com/.

look up “placeholders”. A google search yielded:
http://www.kitebird.com/articles/ruby-dbi.html#TOC_8

David M.
Maia Mailguard http://www.maiamailguard.com
[email protected]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHew7gUy30ODPkzl0RAsIKAJ4kBWKmfTmF0k083dj2yAIK+4ZsrgCeOHWV
iqgUQG+oXnKiR0ZBH8NyEHQ=
=eXia
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jan 2, 2008, at 1:01 AM, Karthi kn wrote:

SQL .
How to do this .Anybody help !!

rs = dbh.prepare(“select *from status_check where id=#{value}”)
rs.execute

NO! This is a security risk.

This opens you up to sql injection attacks. You should always use
placeholders so the library can properly escape your input. See my
other message for a link on how to use placeholders.

David M.
Maia Mailguard http://www.maiamailguard.com
[email protected]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHezjOUy30ODPkzl0RAtFmAJ4qoogCOpMZk+gWRbwGUL08OtTzKwCgiQm6
HWDyvWfx2dhMYYvHKbme4ZA=
=2tT+
-----END PGP SIGNATURE-----