tags:

views:

94

answers:

2
+1  Q: 

Active Record find conditions as string

hi

i have some conditions to pass to a finder. The problem is that i don't want to pass in an usafety way. So imagine that i receive a hash:

hash = {:start_date=>'2009-11-01',:end_date=>'2010-01-23'}

i would like to pass it to my finder like:

Model.find(:all,:conditions=>"created > '#{start_date}' and created < '#{end_date}'")

The problem is that it is unsafe and i'm exposed to SQL injection problems. My question is, how would be the best way to compose this condition?

I want to do it dynamically. For example, i'm doing today like:

find_condition = ['created > ? and created < ?','2009-10-01','2010-01-01']
Model.find(:all,:conditions=>find_condition)
+4  A: 

You can write it like this:

Model.find(:all,:conditions=>["created > :start_date and created < :end_date", {:start_date => params[:one], :end_date => params[:two]}])

It will be escaped properly.

Tomas Markauskas  2010-01-18 11:46:26
+1  A: 

Active Record supports escaping of conditions using a question mark:

Model.all(:conditions => ['created > ? and created < ?',
          :start_date, :end_date])

Some further information in the Rails' Guides that you may be interested in:

John Topley  2010-01-18 11:51:57
@JohnTopley I think that should actually be `Model.all(:conditions => ['created > ? and created < ?', :start_date, :end_date])`. (i.e. don't the conditions belong in the `[]` as well?)
jerhinesmith  2010-01-18 14:32:52
@jerhinesmith Thanks, good catch! I'll update the example.
John Topley  2010-01-18 14:48:08
I believe you meant start_date, end_date instead of :start_date, :end_date (colons out)
egarcia  2010-01-18 14:48:53
@egarcia I believe it will work using either form.
John Topley  2010-01-18 15:27:43
@JohnTopley Interesting - how is that possible? Wouldn't the '?' be just replaced by the text 'start_date' and 'end_date' respectively?
egarcia  2010-01-19 11:53:40

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.