I want to do something like this in Rails: "SELECT *, COUNT(post_id) AS total FROM comments ... conditions" Is that SELECT possible in Rails. Ohterwise, I can use find_by_sql, but i''m trying to avoid SQL injection and this SQL needs a parameter. Is there a way to sanitize this parameter? I''ll appreciate any help -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
pharrington
2010-Feb-05 19:30 UTC
Re: Is this SQL possible with Rails? How can I sanitize?
On Feb 5, 2:09 pm, John Smith <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I want to do something like this in Rails: > "SELECT *, COUNT(post_id) AS total FROM comments ... conditions" > > Is that SELECT possible in Rails. Ohterwise, I can use find_by_sql, but > i''m trying to avoid SQL injection and this SQL needs a parameter. Is > there a way to sanitize this parameter? > > I''ll appreciate any help > -- > Posted viahttp://www.ruby-forum.com/."You can use the same string replacement techniques as you can with ActiveRecord#find." http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M002267 alternatively, does :select => "*, COUNT(post_id) AS total" in your Comments.find work? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Thanks a lot, find_by_sql worked! I tried to do the same, but I did not use the [ ]. I tried :select => ... also before asking, but that did not work. pharrington wrote:> On Feb 5, 2:09�pm, John Smith <li...-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >> I want to do something like this in Rails: >> "SELECT *, COUNT(post_id) AS total FROM comments ... conditions" >> >> Is that SELECT possible in Rails. Ohterwise, I can use find_by_sql, but >> i''m trying to avoid SQL injection and this SQL needs a parameter. Is >> there a way to sanitize this parameter? >> >> I''ll appreciate any help >> -- >> Posted viahttp://www.ruby-forum.com/. > > "You can use the same string replacement techniques as you can with > ActiveRecord#find." > > http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M002267 > > > alternatively, does :select => "*, COUNT(post_id) AS total" in your > Comments.find work?-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Sharagoz --
2010-Feb-05 20:56 UTC
Re: Is this SQL possible with Rails? How can I sanitize?
>I tried :select => ... also before asking, but that did not work.Mind showing us the query? It should work I belive... -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.