Hi All, I am using following code to find the artist @actual_artist=Artist.find_by_name(params[:record][:artist_name]) ---Line A my problem is that i receive da ta like params[:record][:artist_name]="Acg\"" so my application crashes on Line A. How to avoid it .... Thanx in Advance Salil -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 10, 11:56 am, Salil Gaikwad <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hi All, > I am using following code to find the artist > @actual_artist=Artist.find_by_name(params[:record][:artist_name]) > ---Line A > > my problem is that i receive da ta like > params[:record][:artist_name]="Acg\"" > > so my application crashes on Line A.What error do you get ? Fred> How to avoid it .... > > Thanx in Advance > > Salil > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> > What error do you get ? > > Fredsorry fred i''m unable to reproduce same error. So i start with another one.......... params[:album]="Bust a Move (12\" Remixes) - EP" TempRoyaltyReport.update_all("artist_name=#{@artist},album_name =#{@album},upc = #{params[:upc]},status = ''corrected''", "artist_name = \"#{@corrected_artist.artist_name}\" and album_name = \"#{@corrected_artist.album_name}\" and upc = ''#{@corrected_artist.upc}''") And I get following error Mysql::Error: #42000You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Remixes) - EP",upc = 829357903914,status = ''corrected'' WHERE (artist_name = "VAR'' at line 1: UPDATE temp_royalty_reports SET artist_name="Young MC",album_name ="Bust a Move (12" Remixes) - EP",upc = 829357903914,status = ''corrected'' WHERE (artist_name = "VARIOUS ARTISTS" and album_name = "RMXXOLOGY DELUXE" and isrc = ''USDE10801060'') -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
The problem here is that update_all doesn''t actually sanitize the
value passed to the ''updates'' parameter. Your particular
example will
work if you change just surround the #{@album} in single quotes, but
that''s obviously not going to address the broader problem. Rather,
you''ll need to do something like the following:
records = Find(:all, :conditions => {:artist_name =>
@corrected_artist.artist_name, :album_name =>
@corrected_artist.album_name, :upc => corrected_artist.upc})
records.each {|r| r.update_attributes({:artist => @artist, :album_name
=> @album, :upc => params[:upc], :status =>
''corrected''})
The basic idea is to retrieve all the records to be updated first (or
for better performance just the list of IDs to be updated), and *then*
use the ActiveRecord::Base methods that actually know how to sanitize
input.
On Apr 11, 4:48 am, Salil Gaikwad
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:> > What error do you get ?
>
> > Fred
>
> sorry fred i''m unable to reproduce same error.
> So i start with another one..........
>
> params[:album]="Bust a Move (12\" Remixes) - EP"
>
> TempRoyaltyReport.update_all("artist_name=#{@artist},album_name
> =#{@album},upc = #{params[:upc]},status =
''corrected''", "artist_name >
\"#{@corrected_artist.artist_name}\" and album_name >
\"#{@corrected_artist.album_name}\" and upc >
''#{@corrected_artist.upc}''")
>
> And I get following error
>
> Mysql::Error: #42000You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near ''Remixes) - EP",upc = 829357903914,status
> ''corrected'' WHERE (artist_name = "VAR'' at
line 1: UPDATE
> temp_royalty_reports SET artist_name="Young MC",album_name
="Bust a Move
> (12" Remixes) - EP",upc = 829357903914,status =
''corrected'' WHERE
> (artist_name = "VARIOUS ARTISTS" and album_name = "RMXXOLOGY
DELUXE" and
> isrc = ''USDE10801060'')
>
> --
> Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On Apr 11, 5:16 pm, pharrington <xenogene...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> The problem here is that update_all doesn''t actually sanitize the > value passed to the ''updates'' parameter.It can do if you give it a chance, eg TempRoyaltyReport.update_all (["artist_name=?", @artist_name]) or TempRoyaltyReport.update_all ( :artist_name => @artist_name). Just like the conditions you pass to find. Fred>Your particular example will > work if you change just surround the #{@album} in single quotes, but > that''s obviously not going to address the broader problem. Rather, > you''ll need to do something like the following: > > records = Find(:all, :conditions => {:artist_name => > @corrected_artist.artist_name, :album_name => > @corrected_artist.album_name, :upc => corrected_artist.upc}) > records.each {|r| r.update_attributes({:artist => @artist, :album_name > => @album, :upc => params[:upc], :status => ''corrected''}) > > The basic idea is to retrieve all the records to be updated first (or > for better performance just the list of IDs to be updated), and *then* > use the ActiveRecord::Base methods that actually know how to sanitize > input. > > On Apr 11, 4:48 am, Salil Gaikwad <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > wrote: > > > > What error do you get ? > > > > Fred > > > sorry fred i''m unable to reproduce same error. > > So i start with another one.......... > > > params[:album]="Bust a Move (12\" Remixes) - EP" > > > TempRoyaltyReport.update_all("artist_name=#{@artist},album_name > > =#{@album},upc = #{params[:upc]},status = ''corrected''", "artist_name > > \"#{@corrected_artist.artist_name}\" and album_name > > \"#{@corrected_artist.album_name}\" and upc > > ''#{@corrected_artist.upc}''") > > > And I get following error > > > Mysql::Error: #42000You have an error in your SQL syntax; check the > > manual that corresponds to your MySQL server version for the right > > syntax to use near ''Remixes) - EP",upc = 829357903914,status > > ''corrected'' WHERE (artist_name = "VAR'' at line 1: UPDATE > > temp_royalty_reports SET artist_name="Young MC",album_name ="Bust a Move > > (12" Remixes) - EP",upc = 829357903914,status = ''corrected'' WHERE > > (artist_name = "VARIOUS ARTISTS" and album_name = "RMXXOLOGY DELUXE" and > > isrc = ''USDE10801060'') > > > -- > > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Don''t know why i didn''t know this. Thanks! On Apr 11, 12:52 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Apr 11, 5:16 pm, pharrington <xenogene...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > The problem here is that update_all doesn''t actually sanitize the > > value passed to the ''updates'' parameter. > > It can do if you give it a chance, eg TempRoyaltyReport.update_all > (["artist_name=?", @artist_name]) or TempRoyaltyReport.update_all > ( :artist_name => @artist_name). Just like the conditions you pass to > find. > > Fred > > >Your particular example will > > work if you change just surround the #{@album} in single quotes, but > > that''s obviously not going to address the broader problem. Rather, > > you''ll need to do something like the following: > > > records = Find(:all, :conditions => {:artist_name => > > @corrected_artist.artist_name, :album_name => > > @corrected_artist.album_name, :upc => corrected_artist.upc}) > > records.each {|r| r.update_attributes({:artist => @artist, :album_name > > => @album, :upc => params[:upc], :status => ''corrected''}) > > > The basic idea is to retrieve all the records to be updated first (or > > for better performance just the list of IDs to be updated), and *then* > > use the ActiveRecord::Base methods that actually know how to sanitize > > input. > > > On Apr 11, 4:48 am, Salil Gaikwad <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > > wrote: > > > > > What error do you get ? > > > > > Fred > > > > sorry fred i''m unable to reproduce same error. > > > So i start with another one.......... > > > > params[:album]="Bust a Move (12\" Remixes) - EP" > > > > TempRoyaltyReport.update_all("artist_name=#{@artist},album_name > > > =#{@album},upc = #{params[:upc]},status = ''corrected''", "artist_name > > > \"#{@corrected_artist.artist_name}\" and album_name > > > \"#{@corrected_artist.album_name}\" and upc > > > ''#{@corrected_artist.upc}''") > > > > And I get following error > > > > Mysql::Error: #42000You have an error in your SQL syntax; check the > > > manual that corresponds to your MySQL server version for the right > > > syntax to use near ''Remixes) - EP",upc = 829357903914,status > > > ''corrected'' WHERE (artist_name = "VAR'' at line 1: UPDATE > > > temp_royalty_reports SET artist_name="Young MC",album_name ="Bust a Move > > > (12" Remixes) - EP",upc = 829357903914,status = ''corrected'' WHERE > > > (artist_name = "VARIOUS ARTISTS" and album_name = "RMXXOLOGY DELUXE" and > > > isrc = ''USDE10801060'') > > > > -- > > > Posted viahttp://www.ruby-forum.com/. > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---