Ruby on Rails Error
by brian.corrales on Jul.04, 2007, under Ruby on Rails, Technology
I’ve been working on this for a long time. I get this error when trying to work a sql statement like so:
@names = CommonGivenName.find(:all, :conditions => [ “common_given_names.name LIKE #{params[:descendant][:given_name]}%’”])
I keep getting this error: malformed format string. I couldn’t figure out the problem, but apparently, Rails doesn’t like the % sign. After adding a second one, the query ran just fine. If anyone has any ideas on this, I’d be interested in learning. I just know it works this way.
Share This2 comments to “Ruby on Rails Error”
Leave a Reply
-
Thoughts of Brian Corrales
Welcome to CorralesOnline.com. Brian Corrales is both a web developer and a martial arts instructor in Salt Lake City. Feel free to contact Brian about his services.
July 4th, 2007 on 7:06 pm
A better way to do it is the prepared statement type syntax. Your conditions statement would look something more like:
:conditions => [”common_given_names.name LIKE ?”, “#{params[:descendant][:given_name]}%”]
That way, Rails will sanitize your input from any kind of SQL injection attack, as well as wrap the single quotes around your statement if needed.
July 4th, 2007 on 7:10 pm
Thanks Jimmy. I’ll have to start using the prepared statement then.