Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
in rails, if i try to get an object using where:
Customer.where(:name => "abc")
the log file shows that no database bindings are used.
WHERE "apps"."name" = 'abc'
Now if i create a new object
Customer.create(:name => "abc", :field => 1)
rails uses parameters
INSERT INTO "customers" ("name", "field") VALUES (?, ?)
how can i get rails to use database parameter bindings in where as well?
The following statement also generates the same where
Customer.where(“name = ?”, “abc”)
In Rails 3.1, prepared statements are used, so you will see queries like:
As far as I know, this works for Postgres and not MySql.
You needn’t worry about SQL injection, in any case. Please read about the protections against SQL injection that are built-in to Rails: http://guides.rubyonrails.org/security.html#sql-injection