> Understood. It's part of why a more general purpose solution is difficult > (for DO). But I think that it's reasonable to require the usage of String > literals *or* bind variables, but not both.
It's pretty easy to work with both, you simply don't do any interpolation if you've not been told there are bind variables :conditions=>"description = 'Ruby is awesome?' # no interpolation :conditions=>["description = ?", params[:whatever]] A bare string with no associated 'things to bind' should obviously not be 'bound'. > Nate W wrote: > > On Aug 8, 8:56 am, Yehuda Katz <wyc...@gmail.com> wrote: > > > I discussed this some with dbussink, who maintains DO. One of the > problems is that you'd have to be able to convert "?" into the native > format, while avoiding ? in Strings. So for instance: > > "SELECT * from foo where name=""?"" and id = ?" > > > I could be missing your point, but isn't that problem already > addressed in AR? AR already parses ?'s and :bind's itself and makes > those decisions currently, since it emulates bind variables. So that > functionality (and perhaps edge case bugs) should already be in the > current "id = ?" => "id = '1'" AR code. > > So, we should be able to take the current sanitize_sql, and change it > slightly so that when AR makes the pass to decide which ? would > normally be replaced with 'quoted values', instead it would be > replaced with :b1, @x, or whatever that driver decides. > > Just FYI, your example actually fails in AR currently: > > > > p = Player.find_by_sql(['SELECT * from players where username=""?"" and id = > ?', 'hey', 1]) > > > ActiveRecord::StatementInvalid: OCIError: ORA-01741: illegal zero- > length identifier: SELECT * from players where username=""'hey'"" and > id = 1 > > So it's not functionality that anyone is relying on as-is. > > -Nate > > > > > > > -- Cheers Koz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
