valk
Reputation: 9894
Passing a string in where clause in Rails is always quoted
I'm trying to compose programmatically the .where() clause.
It looks like
Post.where("description ?", @composite)
Where @composite is a string which is constructed before. It may be something like = 'ABCD' or maybe IS LIKE 'ABCD' etc.
Problem is in the resulting SQL it's always single-quoted. For example:
Post Load (0.2ms) SELECT `posts`.* FROM `posts` WHERE (description 'IS LIKE "ABCD"')
Is there any way to "un-quote" it?
Upvotes: 0
Views: 515
Answers (2)
Dave Newton
Reputation: 160271
The = and IS LIKE should not be part of the string you're passing in.
It's being single-quoted because that's precisely what the ? does: SQL-safed quoting.
If you want to completely construct the SQL yourself then do so, e.g.,
Post.where("description #{@composite}")
You'll need to sanitize the string yourself, which is easy since presumably you're constructing the = or IS LIKE part with input.
Upvotes: 1
Related Questions
- Escaping Quotes in Rails Query
- Rails where query fails when using variable in query
- SQL injection in Rails in Where Clause
- ActiveRecord Where Clause - Single Quotes error?
- Rails remove string quotes in pragmatically created where clause
- Rails sql issue with a simple where statement
- How to get a string into a where clause in Ruby on Rails 3?
- Rails 3.1 where clause adds quotes to sql IN clause
- Postgresql WHERE clause adds '' around?
- rails: how to use database bindings in where