Read more

Define an array condition that selects on dynamic columns

Arne Hartherz
September 15, 2010Software engineer at makandra GmbH

For some reason you want to define a find condition in array form. And in that condition both column name and value are coming from user input and need to be sanitized.

Illustration web development

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

  • We build reliable cloud solutions with Infrastructure as code
  • We are experts in security, Linux and databases
  • We support your dev team to perform
Read more Show archive.org snapshot

Unfortunately this works in SQLite but does not in MySQL:

named_scope :filter, lambda { |attribute, value|
  { :conditions => [ 'articles.? = ?', attribute, value ] }
}

The solution is to use sanitize_sql_array Show archive.org snapshot like this:

named_scope :filter, lambda { |attribute, value|
  { :conditions => sanitize_sql_array([ "`articles`.`%s` = '%s'", attribute, value ]) }
}
Posted by Arne Hartherz to makandra dev (2010-09-15 11:20)