MySQL :: Re: Entering a variable in a FIND

Contact MySQL |
Login | Register

The world's most popular open source database

Documentation Downloads MySQL.com

Developer Zone

Section Menu:

New Topic

Re: Entering a variable in a FIND

Posted by: Frank Mash
Date: March 23, 2006 09:13PM

Hello Ruth,

Try something like the following:

Assuming the title_search isn't provided by the user (no possibility of SQL injection attack exists):

def self.search_results(title_search)
find(:all,
:conditions => "title like '%#{title_search}%'",
:order => "title")
end

OR if the possibility of SQL injection attack exists:

def self.search_results(title_search)
find(:all,
:conditions => ["title like '%?%'", title_search] ,
:order => "title")
end

In the latter, the first question mark will be replaced (and slashed) by the second parameter, the second question mark by the third parameter and so on and so forth.

Hope this helps!

Upcoming books:
Pro Rails and Pro Server Management

Come attend my Applied ROR session in the MySQL UC.

My Grande RSS Feed (ROR + MySQL + Linux)
http://feedshake.com/mpfeeds/gk4zwwligo.xml

My blogs:
http://railsruby.blogspot.com
http://mysqldatabaseadministration.blogspot.com

Edited 1 time(s). Last edit at 03/23/2006 09:14PM by Frank Mash.

Navigate: Previous Message• Next Message

Options: Reply• Quote

Subject

Written By

Posted

Entering a variable in a FIND

Ruth O'Hare

January 22, 2006 02:45PM

Re: Entering a variable in a FIND

Frank Mash

March 23, 2006 09:13PM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.