Double Quotes Problem in mysql

Hi All, I am using following code to find the artist @actual_artist=Artist.find_by_name(params[:record][:artist_name]) ---Line A

my problem is that i receive da ta like params[:record][:artist_name]="Acg\""

so my application crashes on Line A.

What error do you get ?

Fred

The problem here is that update_all doesn't actually sanitize the value passed to the 'updates' parameter. Your particular example will work if you change just surround the #{@album} in single quotes, but that's obviously not going to address the broader problem. Rather, you'll need to do something like the following:

records = Find(:all, :conditions => {:artist_name => @corrected_artist.artist_name, :album_name => @corrected_artist.album_name, :upc => corrected_artist.upc}) records.each {|r| r.update_attributes({:artist => @artist, :album_name => @album, :upc => params[:upc], :status => 'corrected'})

The basic idea is to retrieve all the records to be updated first (or for better performance just the list of IDs to be updated), and *then* use the ActiveRecord::Base methods that actually know how to sanitize input.

The problem here is that update_all doesn't actually sanitize the value passed to the 'updates' parameter.

It can do if you give it a chance, eg TempRoyaltyReport.update_all (["artist_name=?", @artist_name]) or TempRoyaltyReport.update_all ( :artist_name => @artist_name). Just like the conditions you pass to find.

Fred

Don't know why i didn't know this. Thanks!