I''m using a postgres database and have run into problems where attributes on a model are not sanitised correctly before being saved. The following code: comment = Comment.new( :item => item ) comment.comment = "dog''s breakfast" comment.save Produces the following incorrect SQL in my logs: SELECT id FROM comments WHERE (item_id = 38 and comment = ''Dog''s breakfast'' and subscriber_id = ''90'') As you can see the '' in "Dog''s breakfast" is causing issues. How do I ensure this is sanitised correctly? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 14 Apr 2008, at 13:36, Farrel wrote:> > I''m using a postgres database and have run into problems where > attributes on a model are not sanitised correctly before being saved. > The following code: > > comment = Comment.new( :item => item ) > comment.comment = "dog''s breakfast" > comment.save > > Produces the following incorrect SQL in my logs: > SELECT id FROM comments WHERE (item_id = 38 and comment = ''Dog''s > breakfast'' and subscriber_id = ''90'') >Are you sure this is the relevant snippet - why would a save be doing a select? Fred> As you can see the '' in "Dog''s breakfast" is causing issues. How do I > ensure this is sanitised correctly? > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 14, 3:19 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Are you sure this is the relevant snippet - why would a save be doing > a select? > > FredI''m not sure, it seems to be done by Rails. Farrel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 14 Apr 2008, at 14:24, Farrel wrote:> > On Apr 14, 3:19 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: >> Are you sure this is the relevant snippet - why would a save be doing >> a select? >> >> Fred > > I''m not sure, it seems to be done by Rails. >The obivous way to do it is to delete your development.log file, open up the console and whack in what you had before (and only that) and see what''s in the logs after. Fred> Farrel > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 14, 3:30 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> The obivous way to do it is to delete your development.log file, open > up the console and whack in what you had before (and only that) and > see what''s in the logs after. > > FredI did that and it still does a select before doing an insert. Again not sure why, but that is secondary to my question about the '' not being sanitised in the attribute. Farrel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 14, 2008, at 9:40 AM, Farrel wrote:> > On Apr 14, 3:30 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: >> The obivous way to do it is to delete your development.log file, open >> up the console and whack in what you had before (and only that) and >> see what''s in the logs after. >> >> Fred > > I did that and it still does a select before doing an insert. Again > not sure why, but that is secondary to my question about the '' not > being sanitised in the attribute. > > FarrelDo you have any validations on the model? In particular, validates_uniqueness_of will cause "select before insert" -Rob Rob Biedenharn http://agileconsultingllc.com Rob-xa9cJyRlE0mWcWVYNo9pwxS2lgjeYSpx@public.gmane.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Farrel wrote:> I''m using a postgres database and have run into problems where > attributes on a model are not sanitised correctly before being saved. > The following code: > > comment = Comment.new( :item => item ) > comment.comment = "dog''s breakfast" > comment.save > > Produces the following incorrect SQL in my logs: > SELECT id FROM comments WHERE (item_id = 38 and comment = ''Dog''s > breakfast'' and subscriber_id = ''90'') > > As you can see the '' in "Dog''s breakfast" is causing issues. How do I > ensure this is sanitised correctly?you could sanitize it yourself (?) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 15, 9:10 am, Roger Pack <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> you could sanitize it yourself (?)That''s what I eventually did. Farrel --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---