Solved

Query with dynamic Column Name

Posted on 2009-05-16
3
783 Views
Last Modified: 2013-11-13
Hi,

I try to realize something like a query with dynamic column name.  Something like that:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and ? = 1', "b_" + params[:bereich]]

the result of the query is:

SELECT * FROM `veranstaltungen` WHERE (state="online" and (sub_art="konferenz" or sub_art="kongress") and 'b_inv' = 1) LIMIT 0, 10

As you can see, there the error is, that b_inv is in '', so the query does not work. Is there a way to fix it?
0
Comment
Question by:LL0rd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 1

Expert Comment

by:volkerloges
ID: 24429538
Hi,

You can try to use ruby statements to build the string instead of using the ? for values. e.g.:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and b_' + params[:bereich] + ' = 1' ]

Check params[:bereich] before using it like above to avoid SQL injection.
0
 
LVL 1

Author Comment

by:LL0rd
ID: 24429574
And how can I check the User Input for SQL Injections?
0
 
LVL 1

Accepted Solution

by:
volkerloges earned 500 total points
ID: 24445631
The columnname shouldn't originate from params[...].
If the content of params[:bereich] is limited, check for all allowed values and allow the request only if the content found is one of them.
If the SQL statement originates in parts from user input, it could concatenate to several SQL statements.
Another step could be to delete white-space and characters like "'.,:;-- from the params[:bereich] content before using the value inside a SQL-statement.

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi,      I've been learning Spring and Jersey for the past few months and to say in simple, i am pretty much impressed with these frameworks. Many developers feel it awkward to implement a RESTful Web Services with such a popular Web Application Fr…
In this article you'll learn how to use Ajax calls within your CodeIgniter application. To explain this, I'll illustrate how to implement a simple contact form to allow visitors to send you an email through your web site.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question