Alain Ravet
2006-Mar-20 10:59 UTC
[Rails] :conditions => ["phone like ''%:phone%''" , {:phone => "555"}]
Hi all,
What''s wrong with the way I specify the condition in :
Person.find :all, :conditions => ["phone like
''%:phone%''" , {:phone
=> "555"}]
?
It translates to (note the two '' between the two ")
SELECT * FROM people WHERE (phone like "%''555''%"
)
instead of
SELECT * FROM people WHERE (phone like "%555%" )
Another way to produce this problem:
OK :
model = "555"
conditions = "value like ''%#{model}%''"
ERROR :
model = "555"
conditions = ["value like ''%?%''",model]
==> WHERE (phone
like "%''555''%" )
What''s the write way to write this query?
TIA
Alain
--
Posted via http://www.ruby-forum.com/.
Loïc Guitaut
2006-Mar-20 11:03 UTC
[Rails] :conditions => ["phone like ''%:phone%''" , {:phone => "555"}]
Le Lundi 20 Mars 2006 11:59, Alain Ravet a ?crit?:> Hi all, >Hi, Try this : Person.find :all, :conditions => ["phone like ?", "%" + phone + "%"] I think it should work :) -- ,= ,-_-. =. Lo?c Guitaut ((_/)o o(\_)) http://www.belfalas.org `-''(. .)`-'' Jabber ID : Flink@im.apinc.org \_/ GnuPG KeyID : 0xA78CD85D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://wrath.rubyonrails.org/pipermail/rails/attachments/20060320/8fb9b44c/attachment.bin
Alain Ravet
2006-Mar-20 11:24 UTC
[Rails] Solved( Re: :conditions => ["phone like ''%:phone%''" )
Thanks Lo?c, it worked. Alain > Try this : > Person.find :all, :conditions => ["phone like ?", "%" + phone + "%"] -- Posted via http://www.ruby-forum.com/.
dblack@wobblini.net
2006-Mar-20 13:54 UTC
[Rails] :conditions => ["phone like ''%:phone%''" , {:phone => "555"}]
Hi -- On Mon, 20 Mar 2006, Alain Ravet wrote:> Hi all, > > > What''s wrong with the way I specify the condition in : > > Person.find :all, :conditions => ["phone like ''%:phone%''" , {:phone > => "555"}] > ? > > It translates to (note the two '' between the two ") > SELECT * FROM people WHERE (phone like "%''555''%" ) > > instead of > SELECT * FROM people WHERE (phone like "%555%" ) > > > Another way to produce this problem: > > OK : > model = "555" > conditions = "value like ''%#{model}%''" > > ERROR : > model = "555" > conditions = ["value like ''%?%''",model] ==> WHERE (phone > like "%''555''%" ) > > What''s the write way to write this query?The way that works :-) Actually you can do this: "value like ?", "%#{model}%" or equivalent, but I''d rather do "value like ''%#{model}%''" in the first place (unless there''s an advantage to the ? technique that I''m not taking into account). David -- David A. Black (dblack@wobblini.net) Ruby Power and Light, LLC (http://www.rubypowerandlight.com) "Ruby for Rails" chapters now available from Manning Early Access Program! http://www.manning.com/books/black
Erik van Oosten
2006-Mar-20 14:07 UTC
[Rails] :conditions => ["phone like ''%:phone%''" , {:phone => "555"}]
You should always use the form
"value like ?", "%#{model}%"
to prevent problems. Model might contains a question mark or perhaps
worse: quotes.
Even if you know model never to contain special characters it is better
to get used to the form above. Next time, model is a value entered by a
user, leaving your site open for sql code injection attacks.
Another advantage is performance. Some databases cache compiled queries.
When you put ''model'' directly in the query, the query will be
different
everytime making caching impossible.
Erik.
>
> The way that works :-) Actually you can do this:
>
> "value like ?", "%#{model}%"
>
> or equivalent, but I''d rather do "value like
''%#{model}%''" in the
> first place (unless there''s an advantage to the ? technique that
I''m
> not taking into account).
>
>
> David
>
dblack@wobblini.net
2006-Mar-20 14:15 UTC
[Rails] :conditions => ["phone like ''%:phone%''" , {:phone => "555"}]
Hi -- On Mon, 20 Mar 2006, Erik van Oosten wrote:> You should always use the form > > "value like ?", "%#{model}%" > > to prevent problems. Model might contains a question mark or perhaps worse: > quotes. > > Even if you know model never to contain special characters it is better to > get used to the form above. Next time, model is a value entered by a user, > leaving your site open for sql code injection attacks.Indeed -- I wasn''t factoring in the escape mechanism. David -- David A. Black (dblack@wobblini.net) Ruby Power and Light, LLC (http://www.rubypowerandlight.com) "Ruby for Rails" chapters now available from Manning Early Access Program! http://www.manning.com/books/black