thr3ads.net - Rails - Find :order=>["?",@variable] doesn''t work [Apr 2005]

If this information is useful, please help other people find it:
Share via:

Karol Hosiawa

2005-Apr-25 12:28 UTC

Find :order=>["?",@variable] doesn''t work

Find :order=>["?",@variable] doesn''t work
It doesn''t parse the ? mark and replace it with @variable
You cannot use it the same way as in :conditions=>["?",@variable]
Perhaphs this should be implemented/fixed ?
--
Best
Karol Hosiawa

Faissolle, Julien

2005-Apr-25 13:32 UTC

head link

RE: Find :order=>["?",@variable] doesn''t work

I suppose this is because database drivers only support this kind of
syntax for bind variables. Bind variables can only be used in WHERE
clauses. You perhaps could use find :order => "#{@variable}"

Regards
Julien Faissolle

-----Original Message-----
From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
[mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On
Behalf Of Karol Hosiawa
Sent: Monday, April 25, 2005 2:28 PM
To: Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
Subject: [Rails] Find :order=>["?",@variable] doesn''t work


Find :order=>["?",@variable] doesn''t work
It doesn''t parse the ? mark and replace it with @variable
You cannot use it the same way as in :conditions=>["?",@variable]
Perhaphs this should be implemented/fixed ?
--
Best
Karol Hosiawa
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Tom Reinhart

2005-Apr-25 13:58 UTC

head link

Re: Find :order=>["?",@variable] doesn''t work

On 4/25/05, Faissolle, Julien
<julien.faissolle-VXdhtT5mjnY@public.gmane.org>
wrote:> I suppose this is because database drivers only support this kind of
> syntax for bind variables. Bind variables can only be used in WHERE
> clauses. You perhaps could use find :order => "#{@variable}"
I think the reason for trying to get the substitution the other way
was because @variable comes from an untrusted source, like @params.
What function should be used to make string variables query-safe?
> Regards
> Julien Faissolle
Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://www.AllTom.com/

Faissolle, Julien

2005-Apr-25 14:13 UTC

head link

RE: Find :order=>["?",@variable] doesn''t work

Normal parameterized queries vary only by the values of the WHERE clause
arguments. What is sought here is to modify the query itself by an
untrusted parameter. This is inherently dangerous. I think the best
would be to validate the parameter beforehand to check that it belongs
to a given subset of values.  But it would be perhaps sufficient to
check if the parameter contains the keyword ''SELECT'' because
it is
inserted in the ORDER clause of the query. Perhaps I am mistaken, but at
the moment, the only way I see the query perverted would be to pass
something like ''UNION SELECT ....''.

-----Original Message-----
From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
[mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On
Behalf Of Tom Reinhart
Sent: Monday, April 25, 2005 3:59 PM
To: rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
Subject: Re: [Rails] Find :order=>["?",@variable] doesn''t
work

On 4/25/05, Faissolle, Julien
<julien.faissolle-VXdhtT5mjnY@public.gmane.org>
wrote:> I suppose this is because database drivers only support this kind of 
> syntax for bind variables. Bind variables can only be used in WHERE 
> clauses. You perhaps could use find :order => "#{@variable}"
I think the reason for trying to get the substitution the other way was
because @variable comes from an untrusted source, like @params. What
function should be used to make string variables query-safe?
> Regards
> Julien Faissolle
Sincerely,

Tom Reinhart
tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
http://www.AllTom.com/ _______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Michael Koziarski

2005-Apr-25 20:02 UTC

head link

Re: Find :order=>["?",@variable] doesn''t work

On 4/26/05, Tom Reinhart <alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:> On 4/25/05, Faissolle, Julien
<julien.faissolle-VXdhtT5mjnY@public.gmane.org> wrote:
> > I suppose this is because database drivers only support this kind of
> > syntax for bind variables. Bind variables can only be used in WHERE
> > clauses. You perhaps could use find :order =>
"#{@variable}"
> 
> I think the reason for trying to get the substitution the other way
> was because @variable comes from an untrusted source, like @params.
> What function should be used to make string variables query-safe?
connection.quote is what the adapters use.
> > Regards
> > Julien Faissolle
> 
> Sincerely,
> 
> Tom Reinhart
> tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
> http://www.AllTom.com/
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Cheers

Koz

Faissolle, Julien

2005-Apr-26 08:36 UTC

head link

RE: Find :order=>["?",@variable] doesn''t work

Yes, but I think this works only for WHERE clause parameters (query
variables), which become quoted so they cannot contain something else
than a value. What the original post described was a dynamic
modification of the query, by parameterizing the ORDER BY clause. The
quote method won''t do there precisely because the contents should not
be
quoted. We want ORDER BY name, not ORDER BY ''name''.


-----Original Message-----
From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
[mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On
Behalf Of Michael
Koziarski
Sent: Monday, April 25, 2005 10:02 PM
To: thomas-rN3PHIWzTs1Jm/Hvfsr4+Q@public.gmane.org;
rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
Subject: Re: [Rails] Find :order=>["?",@variable] doesn''t
work


On 4/26/05, Tom Reinhart <alltom-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:> On 4/25/05, Faissolle, Julien
<julien.faissolle-VXdhtT5mjnY@public.gmane.org> wrote:
> > I suppose this is because database drivers only support this kind of
> > syntax for bind variables. Bind variables can only be used in WHERE 
> > clauses. You perhaps could use find :order =>
"#{@variable}"
> 
> I think the reason for trying to get the substitution the other way 
> was because @variable comes from an untrusted source, like @params. 
> What function should be used to make string variables query-safe?
connection.quote is what the adapters use.
> > Regards
> > Julien Faissolle
> 
> Sincerely,
> 
> Tom Reinhart
> tom-V0YqjHVuocLQT0dZR+AlfA@public.gmane.org
> http://www.AllTom.com/ _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Cheers

Koz
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Rails - Apr 2005 - Find :order=>["?",@variable] doesn't work

Find :order=>["?",@variable] doesn''t work

RE: Find :order=>["?",@variable] doesn''t work

Re: Find :order=>["?",@variable] doesn''t work

RE: Find :order=>["?",@variable] doesn''t work

Re: Find :order=>["?",@variable] doesn''t work

RE: Find :order=>["?",@variable] doesn''t work