[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Query with dynamic Column Name

Posted on 2009-05-16
3
Medium Priority
?
787 Views
Last Modified: 2013-11-13
Hi,

I try to realize something like a query with dynamic column name.  Something like that:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and ? = 1', "b_" + params[:bereich]]

the result of the query is:

SELECT * FROM `veranstaltungen` WHERE (state="online" and (sub_art="konferenz" or sub_art="kongress") and 'b_inv' = 1) LIMIT 0, 10

As you can see, there the error is, that b_inv is in '', so the query does not work. Is there a way to fix it?
0
Comment
Question by:LL0rd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Expert Comment

by:volkerloges
ID: 24429538
Hi,

You can try to use ruby statements to build the string instead of using the ? for values. e.g.:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and b_' + params[:bereich] + ' = 1' ]

Check params[:bereich] before using it like above to avoid SQL injection.
0
 
LVL 1

Author Comment

by:LL0rd
ID: 24429574
And how can I check the User Input for SQL Injections?
0
 
LVL 1

Accepted Solution

by:
volkerloges earned 2000 total points
ID: 24445631
The columnname shouldn't originate from params[...].
If the content of params[:bereich] is limited, check for all allowed values and allow the request only if the content found is one of them.
If the SQL statement originates in parts from user input, it could concatenate to several SQL statements.
Another step could be to delete white-space and characters like "'.,:;-- from the params[:bereich] content before using the value inside a SQL-statement.

0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi,      I've been learning Spring and Jersey for the past few months and to say in simple, i am pretty much impressed with these frameworks. Many developers feel it awkward to implement a RESTful Web Services with such a popular Web Application Fr…
Recently I spent hours debugging an issue in a Rails project where ActiveRecord was causing MySQL errors trying to create a User object of a class at the top level of a Single Table Inheritance model structure.  It turns out `.create` behaves differ…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question