Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Query with dynamic Column Name

Posted on 2009-05-16
3
Medium Priority
?
790 Views
Last Modified: 2013-11-13
Hi,

I try to realize something like a query with dynamic column name.  Something like that:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and ? = 1', "b_" + params[:bereich]]

the result of the query is:

SELECT * FROM `veranstaltungen` WHERE (state="online" and (sub_art="konferenz" or sub_art="kongress") and 'b_inv' = 1) LIMIT 0, 10

As you can see, there the error is, that b_inv is in '', so the query does not work. Is there a way to fix it?
0
Comment
Question by:LL0rd
  • 2
3 Comments
 
LVL 1

Expert Comment

by:volkerloges
ID: 24429538
Hi,

You can try to use ruby statements to build the string instead of using the ? for values. e.g.:

:conditions => ['state="online" and (sub_art="konferenz" or sub_art="kongress") and b_' + params[:bereich] + ' = 1' ]

Check params[:bereich] before using it like above to avoid SQL injection.
0
 
LVL 1

Author Comment

by:LL0rd
ID: 24429574
And how can I check the User Input for SQL Injections?
0
 
LVL 1

Accepted Solution

by:
volkerloges earned 2000 total points
ID: 24445631
The columnname shouldn't originate from params[...].
If the content of params[:bereich] is limited, check for all allowed values and allow the request only if the content found is one of them.
If the SQL statement originates in parts from user input, it could concatenate to several SQL statements.
Another step could be to delete white-space and characters like "'.,:;-- from the params[:bereich] content before using the value inside a SQL-statement.

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi,    When I first started to learn Hibernate I found it pretty easy, but integrating it with Spring took me around 2 weeks. Not pretty cool. So I came up with the idea of writing this article which guides you simply towards the integration. NO…
There is a huge demand for CodeIgniter among the PHP web developers due to its dynamic features and benefits these days. It is one of most popular and agile open source PHP framework for creating robust web applications in PHP web development field.…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month12 days, 1 hour left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question