I try to set up a loop to put the data in the array into the oracle
data base by iteration.
Thus I put the variable into the sql query. I know this is no correct
for dynamic querying,
Can you give me some advise about how to do dynamic querying in ruby and
oracle?
Here is my wrong example. I hope this help you understand my question. I
really
appreciate your help..Thank you so much!!
···
----------------------------------------------------------------------------------------------------
for q in 0..4
s = Float(q)
conn.exec( 'UPDATE SCH_EVENT SET P_ID = 2444334 where RANK= s AND
playlist_id=432')
end
------------------------------------------------------------------------------------------------------
You can expand within double quotes using "#{my_var}", so maybe
something like...
conn.exec( "UPDATE SCH_EVENT SET P_ID = 2444334 where RANK = #{s} AND
playlist_id=432")
Usually, capitalization in a SQL statement is reserved for keywords,
but everyone has their own style.
Todd
···
On Thu, May 29, 2008 at 6:09 PM, Ting Chang <aumart@gmail.com> wrote:
I try to set up a loop to put the data in the array into the oracle
data base by iteration.
Thus I put the variable into the sql query. I know this is no correct
for dynamic querying,
Can you give me some advise about how to do dynamic querying in ruby and
oracle?
Here is my wrong example. I hope this help you understand my question. I
really
appreciate your help..Thank you so much!!
----------------------------------------------------------------------------------------------------
for q in 0..4
s = Float(q)
conn.exec( 'UPDATE SCH_EVENT SET P_ID = 2444334 where RANK= s AND
playlist_id=432')
end
------------------------------------------------------------------------------------------------------
Good style is:
conn.exec( "UPDATE SCH_EVENT SET P_ID = 2444334 where RANK = :1 AND
playlist_id=432", s)
The most efficient way in performance view is:
----------------------------------------------------------------------------------------------------
cursor = conn.parse( 'UPDATE SCH_EVENT SET P_ID = 2444334 where RANK=
:1 AND playlist_id=432')
for q in 0..4
s = Float(q)
cursor.exec(s)
end
cursor.close
----------------------------------------------------------------------------------------------------
Good style is:
conn.exec( "UPDATE SCH_EVENT SET P_ID = 2444334 where RANK = :1 AND
playlist_id=432", s)
The most efficient way in performance view is:
----------------------------------------------------------------------------------------------------
cursor = conn.parse( 'UPDATE SCH_EVENT SET P_ID = 2444334 where RANK=
:1 AND playlist_id=432')
for q in 0..4
s = Float(q)
cursor.exec(s)
end
cursor.close
----------------------------------------------------------------------------------------------------
Converting to a number type before using the value is injection safe. I wonder how
you are going to convince #to_f (or #to_i )to return valid SQL code.
But: why don't you just use prepared Statements?
Regards,
Florian Gilcher
···
On May 30, 2008, at 6:37 PM, Phillip Gawlowski wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ryan Lewis wrote:
> or even:
> (0..4).each { |q| conn.exec( 'UPDATE SCH_EVENT SET P_ID = 2444334 where
> RANK = #{q.to_f} AND playlist_id = 432' ) }
Well, if you use single quotes for your SQL string, you can't because either
the SQL library will quote the other arguments properly, or they'll be sent
to the database via some other mechanism than inclusion in the string.
As another example: There's nothing inherently insecure about:
Yeah.. this is just a example.....
but #{} does convert the variables into the SQL query,
to_f and to_i works~~
Thanks guys~
-Erick
Florian Gilcher wrote:
···
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 30, 2008, at 6:37 PM, Phillip Gawlowski wrote:
Converting to a number type before using the value is injection safe.
I wonder how
you are going to convince #to_f (or #to_i )to return valid SQL code.