Michael Jackson
5/23/2009 2:27:00 PM
You could do something like this:
Address.find(:all, :conditions =3D> ['? LIKE ?',
Address.connection.quote_column_name("last_name"), "Luehr" ])
It's a bit more verbose, but I think it should work.
Michael
On Sat, May 23, 2009 at 8:15 AM, Jan L=FChr <usenet@stephan.homeunix.net> w=
rote:
> Hello,
>
> I'm developing a search functionality (as part of a RoR-App) and I was
> wonderinger: Is there a way to sanitize column-names for security?
>
> For values, there are prepared statements like:
>
> Address.find(:all, :conditions =3D> ['last_name LIKE ?',"Luehr" ])
>
> But for column-names, it doesn't work:
> Address.find(:all, :conditions =3D> ['? LIKE ?',"last_name","Luehr" ])
>
> Creates:
> SELECT * FROM `addresses` WHERE ('last_name' LIKE 'Luehr')
> (last_name is uses as a string here)
>
> I looked for escaping methods but I just got DBMS specfic ones like
> Mysql::escape_string()
>
> Do you know a generic escaping method?
>
> Thanks in advance,
> Keep smiling
> yanosz
>
>