Jan
16
16
Using Ruby On Rails and the find method with conditions, it is also to possible to use the LIKE statement of SQL without having to escape variables or using raw SQL:
urls = Url.find (:all, :conditions=> ["location like ?", params[:location] + "%"])
In my application, this finds all Url objects with a URL that begins with params[:location]
But this is not the safest solution! The user is able to use its own “%”-characters or the “_” character in the LIKE statement. These are not escaped by rails, so you have to use:
escaped_location = params[:location].gsub ('%', '\%').gsub ('_', '\_')
urls = Url.find (:all, :conditions=> ["location like ?", escaped_location + "%"])
More on the need to escape SQL can be found in a railscast.
Related:
SQLite3::SQLException error on OS X in a Rails migration
Are you interested in reading more from CodingClues?
Then subscribe to new postings
via RSS or
via
E-Mail.
Add New Comment
Viewing 1 Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Add New Comment
Trackbacks
(Trackback URL)