Isn't that open to SQL injection?
···
--- Jon Egil Strand <jes@luretanker.no> wrote:
>
> My first instinct would be to remove the "#{}" around the variables,
though I
> can't see that being the main issue.
>That sounds plausible.
Usually, I don't use prepare and execute, but instead:
DBI.connect('DBI:ODBC:database') do |dbh|
your_data_structure.each do |data|
sql = "INSERT INTO table
(col1,
col2,
col3)
VALUES
('#{data.val1}',
'#{data.val2}',
'#{data.val3}')"
dbh.do( sql )
end
end--
Jon Egil Strand
Phone: +47 98232340
jes@luretanker.no