I''m trying to do something like: SELECT * FROM attachment WHERE filename LIKE ''%whatever%''; so my code is: @search = params[:search] @attachments = Attachment.find(:all, :conditions => ["filename LIKE ''%?%''", @search.to_s]) but that''s converting to: SELECT * FROM attachments WHERE (filename LIKE ''%''whatever''%''); how do i prevent those extra single quotes from being inserted? thanks! steve
Stephen Karsch wrote:> I''m trying to do something like: > > SELECT * FROM attachment WHERE filename LIKE ''%whatever%''; > > so my code is: > > @search = params[:search] > @attachments = Attachment.find(:all, :conditions => ["filename LIKE > ''%?%''", @search.to_s])Try Attachment.find(:all, :conditions => ["filename LIKE ''?''", ''%'' + @search.to_s + ''%'']) -- Posted via http://www.ruby-forum.com/.
+-le 11/12/2005 17:47 +0100, Andreas Schwarz écrivait : | Stephen Karsch wrote: |> I''m trying to do something like: |> |> SELECT * FROM attachment WHERE filename LIKE ''%whatever%''; |> |> so my code is: |> |> @search = params[:search] |> @attachments = Attachment.find(:all, :conditions => ["filename LIKE |> ''%?%''", @search.to_s]) | | Try | Attachment.find(:all, :conditions => ["filename LIKE ''?''", ''%'' + | @search.to_s + ''%'']) ''..LIKE ?'' -- Mathieu Arnold
that got me close... i had to change it to: @attachments = Attachment.find(:all, :conditions => ["filename LIKE ?", ''%'' + @search.to_s + ''%'']) thanks for your help!!!! steve Andreas Schwarz wrote:> Stephen Karsch wrote: >> I''m trying to do something like: >> >> SELECT * FROM attachment WHERE filename LIKE ''%whatever%''; >> >> so my code is: >> >> @search = params[:search] >> @attachments = Attachment.find(:all, :conditions => ["filename LIKE >> ''%?%''", @search.to_s]) > > Try > Attachment.find(:all, :conditions => ["filename LIKE ''?''", ''%'' + > @search.to_s + ''%'']) >
Mathieu Arnold wrote:> +-le 11/12/2005 17:47 +0100, Andreas Schwarz �crivait : > | Stephen Karsch wrote: > |> I''m trying to do something like: > |> > |> SELECT * FROM attachment WHERE filename LIKE ''%whatever%''; > |> > |> so my code is: > |> > |> @search = params[:search] > |> @attachments = Attachment.find(:all, :conditions => ["filename LIKE > |> ''%?%''", @search.to_s]) > | > | Try > | Attachment.find(:all, :conditions => ["filename LIKE ''?''", ''%'' + > | @search.to_s + ''%'']) > > ''..LIKE ?''Yes, that''s what I meant. -- Posted via http://www.ruby-forum.com/.
I''m not a rails expert but I think you could do:
@attachments = Attachment.find(:all, :conditions => ["filename LIKE
?",
"%#{@search}%"])
Not sure if this is the best way but it should work.
Dan
Stephen Karsch wrote:
> I''m trying to do something like:
>
> SELECT * FROM attachment WHERE filename LIKE
''%whatever%'';
>
> so my code is:
>
> @search = params[:search]
> @attachments = Attachment.find(:all, :conditions => ["filename LIKE
> ''%?%''", @search.to_s])
>
> but that''s converting to:
>
> SELECT * FROM attachments WHERE (filename LIKE
''%''whatever''%'');
>
> how do i prevent those extra single quotes from being inserted?
> thanks!
> steve
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
Dan Fitzpatrick wrote:> I''m not a rails expert but I think you could do: > > @attachments = Attachment.find(:all, :conditions => ["filename LIKE ?", > "%#{@search}%"]) > > Not sure if this is the best way but it should work. > > DanDan that way leaves you open for SQL injection attacks :) using the [x=?], var way is much safer as rails protects you. Tim -- Posted via http://www.ruby-forum.com/.
On Apr 17, 2006, at 6:47 AM, Tim Perrett wrote:> Dan Fitzpatrick wrote: >> I''m not a rails expert but I think you could do: >> >> @attachments = Attachment.find(:all, :conditions => ["filename >> LIKE ?", >> "%#{@search}%"]) >> >> Not sure if this is the best way but it should work. >> >> Dan > > Dan that way leaves you open for SQL injection attacks :) > > using the [x=?], var way is much safer as rails protects you.But...Dan *is* using placeholders. Would it be different if he said: @attachments = Attachment.find(:all, :conditions => ["filename LIKE %?%", @search}]) I don''t think that would work with true placeholders, but it might work with Rails. -- -- Tom Mornini
On Apr 17, 2006, at 11:30 AM, Tom Mornini wrote:> On Apr 17, 2006, at 6:47 AM, Tim Perrett wrote: > >> Dan Fitzpatrick wrote: >>> I''m not a rails expert but I think you could do: >>> >>> @attachments = Attachment.find(:all, :conditions => ["filename >>> LIKE ?", >>> "%#{@search}%"]) >>> >>> Not sure if this is the best way but it should work. >>> >>> Dan >> >> Dan that way leaves you open for SQL injection attacks :) >> >> using the [x=?], var way is much safer as rails protects you. > > But...Dan *is* using placeholders. > > Would it be different if he said: > > @attachments = Attachment.find(:all, :conditions => ["filename > LIKE %?%", @search}]) > > I don''t think that would work with true placeholders, but > it might work with Rails.What about: @attachments = Attachment.find(:all, :conditions => ["filename LIKE ?", ''%'' + @search + ''%'']) You like? (pun intended only sub-consciously) -Derrick Spell
On Apr 17, 2006, at 8:53 AM, Derrick Spell wrote:> On Apr 17, 2006, at 11:30 AM, Tom Mornini wrote: > >> On Apr 17, 2006, at 6:47 AM, Tim Perrett wrote: >> >>> Dan Fitzpatrick wrote: >>>> I''m not a rails expert but I think you could do: >>>> >>>> @attachments = Attachment.find(:all, :conditions => ["filename >>>> LIKE ?", >>>> "%#{@search}%"]) >>>> >>>> Not sure if this is the best way but it should work. >>>> >>>> Dan >>> >>> Dan that way leaves you open for SQL injection attacks :) >>> >>> using the [x=?], var way is much safer as rails protects you. >> >> But...Dan *is* using placeholders. >> >> Would it be different if he said: >> >> @attachments = Attachment.find(:all, :conditions => ["filename >> LIKE %?%", @search}]) >> >> I don''t think that would work with true placeholders, but >> it might work with Rails. > > What about: > > @attachments = Attachment.find(:all, :conditions => ["filename > LIKE ?", ''%'' + @search + ''%'']) > > You like? (pun intended only sub-consciously)Identical end result to this from above:>>>> @attachments = Attachment.find(:all, :conditions => ["filename >>>> LIKE ?", >>>> "%#{@search}%"])Color me prejudiced, but I do prefer your version. Ruby string interpolation is painfully hard to look at IMHO. -- -- Tom Mornini