Don't know why i didn't know this. Thanks!
On Apr 11, 12:52 pm, Frederick Cheung <frederick.che...@gmail.com>
wrote:
> On Apr 11, 5:16 pm, pharrington <xenogene...@gmail.com> wrote:
>
> > The problem here is that update_all doesn't actually sanitize the
> > value passed to the 'updates' parameter.
>
> It can do if you give it a chance, eg TempRoyaltyReport.update_all
> (["artist_name=?", @artist_name]) or TempRoyaltyReport.update_all
> ( :artist_name => @artist_name). Just like the conditions you pass to
> find.
>
> Fred
>
> >Your particular example will
> > work if you change just surround the #...@album} in single quotes, but
> > that's obviously not going to address the broader problem. Rather,
> > you'll need to do something like the following:
>
> > records = Find(:all, :conditions => {:artist_name =>
> > @corrected_artist.artist_name, :album_name =>
> > @corrected_artist.album_name, :upc => corrected_artist.upc})
> > records.each {|r| r.update_attributes({:artist => @artist, :album_name
> > => @album, :upc => params[:upc], :status => 'corrected'})
>
> > The basic idea is to retrieve all the records to be updated first (or
> > for better performance just the list of IDs to be updated), and *then*
> > use the ActiveRecord::Base methods that actually know how to sanitize
> > input.
>
> > On Apr 11, 4:48 am, Salil Gaikwad <rails-mailing-l...@andreas-s.net>
> > wrote:
>
> > > > What error do you get ?
>
> > > > Fred
>
> > > sorry fred i'm unable to reproduce same error.
> > > So i start with another one..........
>
> > > params[:album]="Bust a Move (12\" Remixes) - EP"
>
> > > TempRoyaltyReport.update_all("artist_name...@artist},album_name
> > > =...@album},upc = #{params[:upc]},status = 'corrected'", "artist_name =
> > > \"#...@corrected_artist.artist_name}\" and album_name =
> > > \"#...@corrected_artist.album_name}\" and upc =
> > > '#...@corrected_artist.upc}'")
>
> > > And I get following error
>
> > > Mysql::Error: #42000You have an error in your SQL syntax; check the
> > > manual that corresponds to your MySQL server version for the right
> > > syntax to use near 'Remixes) - EP",upc = 829357903914,status =
> > > 'corrected' WHERE (artist_name = "VAR' at line 1: UPDATE
> > > temp_royalty_reports SET artist_name="Young MC",album_name ="Bust a Move
> > > (12" Remixes) - EP",upc = 829357903914,status = 'corrected' WHERE
> > > (artist_name = "VARIOUS ARTISTS" and album_name = "RMXXOLOGY DELUXE" and
> > > isrc = 'USDE10801060')
>
> > > --
> > > Posted viahttp://www.ruby-forum.com/.
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
