Hi,
How can i pass a variable to a sql query like
rs = dbh.prepare("select *from status_check where id=204")
rs.execute
Instead of giving the value of id I want to make it dynamic ,where I can
pass the dynamic value of id fetched from database much like in PL/SQL .
How to do this .Anybody help !!
···
--
Posted via http://www.ruby-forum.com/.
look up "placeholders". A google search yielded: http://www.kitebird.com/articles/ruby-dbi.html#TOC_8
David Morton
Maia Mailguard http://www.maiamailguard.com
mortonda@dgrmm.net
···
On Jan 1, 2008, at 9:45 PM, Pradeepta Swain wrote:
Hi,
How can i pass a variable to a sql query like
rs = dbh.prepare("select *from status_check where id=204")
rs.execute
Instead of giving the value of id I want to make it dynamic ,where I can
pass the dynamic value of id fetched from database much like in PL/SQL .
How to do this .Anybody help !!
--
Posted via http://www.ruby-forum.com/\.
Pradeepta Swain wrote:
Hi,
How can i pass a variable to a sql query like
rs = dbh.prepare("select *from status_check where id=204")
rs.execute
Instead of giving the value of id I want to make it dynamic ,where I can
pass the dynamic value of id fetched from database much like in PL/SQL .
How to do this .Anybody help !!
rs = dbh.prepare("select *from status_check where id=#{value}")
rs.execute
···
--
Posted via http://www.ruby-forum.com/\.
NO! This is a security risk.
This opens you up to sql injection attacks. You should always use placeholders so the library can properly escape your input. See my other message for a link on how to use placeholders.
David Morton
Maia Mailguard http://www.maiamailguard.com
mortonda@dgrmm.net
···
On Jan 2, 2008, at 1:01 AM, Karthi kn wrote:
Pradeepta Swain wrote:
Hi,
How can i pass a variable to a sql query like
rs = dbh.prepare("select *from status_check where id=204")
rs.execute
Instead of giving the value of id I want to make it dynamic ,where I can
pass the dynamic value of id fetched from database much like in PL/SQL .
How to do this .Anybody help !!
rs = dbh.prepare("select *from status_check where id=#{value}")
rs.execute