Double Quotes Problem in mysql

Hi All,
I am using following code to find the artist
@actual_artist=Artist.find_by_name(params[:record][:artist_name])
---Line A

my problem is that i receive da ta like
params[:record][:artist_name]="Acg\""

so my application crashes on Line A.

What error do you get ?

Fred

The problem here is that update_all doesn't actually sanitize the
value passed to the 'updates' parameter. Your particular example will
work if you change just surround the #{@album} in single quotes, but
that's obviously not going to address the broader problem. Rather,
you'll need to do something like the following:

records = Find(:all, :conditions => {:artist_name =>
@corrected_artist.artist_name, :album_name =>
@corrected_artist.album_name, :upc => corrected_artist.upc})
records.each {|r| r.update_attributes({:artist => @artist, :album_name
=> @album, :upc => params[:upc], :status => 'corrected'})

The basic idea is to retrieve all the records to be updated first (or
for better performance just the list of IDs to be updated), and *then*
use the ActiveRecord::Base methods that actually know how to sanitize
input.

The problem here is that update_all doesn't actually sanitize the
value passed to the 'updates' parameter.

It can do if you give it a chance, eg TempRoyaltyReport.update_all
(["artist_name=?", @artist_name]) or TempRoyaltyReport.update_all
( :artist_name => @artist_name). Just like the conditions you pass to
find.

Fred

Don't know why i didn't know this. Thanks!