tags:

views:

51

answers:

1
Q: 

Rails - escaping SQL params

I am doing some plain SQLs in my rails model (for purists this is just for complex SQLs :)

Since I am not using find*/condition methods, is there a helper method that I can use straight to do that?

+2  A: 

The quote method on the connection object escapes strings. When building up queries, use sanitize_sql_for_conditions to convert ActiveRecord conditions hashes or arrays to SQL WHERE clauses.

The methods in ActiveRecord::ConnectionAdapters::DatabaseStatements are handy for direct queries, in particular the ones starting with select_.

Jason Weathered  2010-07-21 22:25:04
yes in my model I am doing connection.select_all(sql). But I cant find the "quote" method on connection object in rdoc for escaping my input params for where conditions.
 2010-07-21 22:39:18
Okay i got it, thanks!
 2010-07-21 23:54:16

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL