[Rails] Bind Variables in Active Record
Michael Koziarski
koziarski at gmail.com
Tue Dec 7 00:34:58 GMT 2004
OK, I have some basic functionality to support bind variables, it
appears to work with the 'old' %s style too.
I've altered sanitize_conditions in
activerecord/lib/active_record/base.rb to check whether bind variables
are in the statement (/\?/). If they are, replace all the ?s to
escaped values from the arguments array. else santize and expand.
There are a few gotchas with this simple approach:
1) ? in statements not meant for binding
None of the SQL dialects I've worked with use ?, is this a fair
assumption? Is there a better test for 'bind_variables_present'?
2) Mixing ? and %s is not supported i.e find_all(["id=? and
first_name like '%s'", 3 "''''bob'''\'?"])
Is there a legitimate case for this kind of query?
The next question is, how to allow each database adapter to override
the quoting rules for each data type. The current implementation has
a series of methods like this
def quote_string(value)
value = value.gsub(/'/, "''")
"'#{value}'"
end
def quote_date(value)
"'#{value.to_s}'"
end
etc.
What's the most logical place for this code to live? Mysql will have
to override quoting rules for ', and most databases will have to
provide customer formatting for Dates and Times.
The current santize method lives in ActiveRecord::Base right? Is that
the right place for these 'quoters'? All the DB specific stuff
appears to live in 'connection'. Should it go in there?
My lack of exposure to the code, and lack of ruby exposure generally,
makes me think I'm missing some really easy option....
I'll create a ticket & send a patch when I get my app working with
edge rails, hopefully tonight, but I'd appreciate any feedback ahead
of time.
--
Cheers
Koz
More information about the Rails
mailing list