Attributes not being santised

I'm using a postgres database and have run into problems where attributes on a model are not sanitised correctly before being saved. The following code:

comment = Comment.new( :item => item ) comment.comment = "dog's breakfast" comment.save

Produces the following incorrect SQL in my logs: SELECT id FROM comments WHERE (item_id = 38 and comment = 'Dog's breakfast' and subscriber_id = '90')

As you can see the ' in "Dog's breakfast" is causing issues. How do I ensure this is sanitised correctly?

I'm using a postgres database and have run into problems where attributes on a model are not sanitised correctly before being saved. The following code:

comment = Comment.new( :item => item ) comment.comment = "dog's breakfast" comment.save

Produces the following incorrect SQL in my logs: SELECT id FROM comments WHERE (item_id = 38 and comment = 'Dog's breakfast' and subscriber_id = '90')

Are you sure this is the relevant snippet - why would a save be doing
a select?

Fred

I'm not sure, it seems to be done by Rails.

Farrel

Are you sure this is the relevant snippet - why would a save be doing a select?

Fred

I'm not sure, it seems to be done by Rails.

The obivous way to do it is to delete your development.log file, open
up the console and whack in what you had before (and only that) and
see what's in the logs after.

Fred

I did that and it still does a select before doing an insert. Again not sure why, but that is secondary to my question about the ' not being sanitised in the attribute.

Farrel

Do you have any validations on the model? In particular, validates_uniqueness_of will cause "select before insert"

-Rob

Rob Biedenharn http://agileconsultingllc.com Rob@AgileConsultingLLC.com

Farrel wrote:

I'm using a postgres database and have run into problems where attributes on a model are not sanitised correctly before being saved. The following code:

comment = Comment.new( :item => item ) comment.comment = "dog's breakfast" comment.save

Produces the following incorrect SQL in my logs: SELECT id FROM comments WHERE (item_id = 38 and comment = 'Dog's breakfast' and subscriber_id = '90')

As you can see the ' in "Dog's breakfast" is causing issues. How do I ensure this is sanitised correctly?

you could sanitize it yourself (?)

That's what I eventually did.

Farrel