• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 797
  • Last Modified:

Query with dynamic Column Name

Hi,

I try to realize something like a query with dynamic column name.  Something like that:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and ? = 1', "b_" + params[:bereich]]

the result of the query is:

SELECT * FROM `veranstaltungen` WHERE (state="online" and (sub_art="konferenz" or sub_art="kongress") and 'b_inv' = 1) LIMIT 0, 10

As you can see, there the error is, that b_inv is in '', so the query does not work. Is there a way to fix it?
0
LL0rd
Asked:
LL0rd
  • 2
1 Solution
 
volkerlogesCommented:
Hi,

You can try to use ruby statements to build the string instead of using the ? for values. e.g.:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and b_' + params[:bereich] + ' = 1' ]

Check params[:bereich] before using it like above to avoid SQL injection.
0
 
LL0rdAuthor Commented:
And how can I check the User Input for SQL Injections?
0
 
volkerlogesCommented:
The columnname shouldn't originate from params[...].
If the content of params[:bereich] is limited, check for all allowed values and allow the request only if the content found is one of them.
If the SQL statement originates in parts from user input, it could concatenate to several SQL statements.
Another step could be to delete white-space and characters like "'.,:;-- from the params[:bereich] content before using the value inside a SQL-statement.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now