Brian Corrales
corralesonline.com

Ruby on Rails Error

July 4th, 2007 . by brian.corrales

I’ve been working on this for a long time.  I get this error when trying to work a sql statement like so:

@names = CommonGivenName.find(:all, :conditions => [ “common_given_names.name LIKE                                   #{params[:descendant][:given_name]}%’”])

I keep getting this error:  malformed format string.  I couldn’t figure out the problem, but apparently, Rails doesn’t like the % sign.  After adding a second one, the query ran just fine.  If anyone has any ideas on this, I’d be interested in learning.  I just know it works this way.

[?]
Share This

Posted in Ruby on Rails, Technology |


2 Responses to “Ruby on Rails Error”

  1. comment number 1 by: Jimmy Zimmerman
    July 4th, 2007 at 7:06 pm

    A better way to do it is the prepared statement type syntax. Your conditions statement would look something more like:

    :conditions => [”common_given_names.name LIKE ?”, “#{params[:descendant][:given_name]}%”]

    That way, Rails will sanitize your input from any kind of SQL injection attack, as well as wrap the single quotes around your statement if needed.

  2. comment number 2 by: brian.corrales
    July 4th, 2007 at 7:10 pm

    Thanks Jimmy. I’ll have to start using the prepared statement then.

Leave a Reply

Name

Mail (never published)

Website