Re: SQLite3 passing row data from 1 class to another

You need to read the error message! It's very clear what it is telling
you:

/usr/lib/ruby/1.8/sqlite3/errors.rb:62:in `check': no such column:
custnos(SQLite3::SQLException)

That is, there is an error in your SQL. You are trying to do something
with a column called "custnos", and your table does not have one.

The sqlite3 command line tool is useful here:

sqlite3 path/to/your/db.sqlite3

This lets you try out SQL interactively, until you arrive at the
incantation which works.

def rec_to_find (table, colname, tofind)
stmt = "select * from #{table} where #{colname} = " + tofind
row = @db.execute(stmt)
result row
end

This code is broken because you tack tofind onto the end of your query
without quoting it. Imagine you do the following:

rec_to_find("customers","name","fred")

This will generate:

select * from customers where name=fred

This is almost certainly not what you want (this query finds customers
where the value in column 'name' is the same as the value in column
'fred')

What you probably wanted was:

select * from customers where name='fred'

However, just adding the quotes in by itself is also very dangerous.
Suppose someone enters a customer name which contains a single-quote;
you can end up with (best case) a corrupt SQL statement, or (worst case)
you have allowed the user to add or modify *all* the data in your
database with a carefully-constructed 'name' value.

This is illustrated beautifully here:
http://xkcd.com/327/

If you don't understand this, then you should steer clear of
constructing SQL queries. Instead, use an abstraction layer to handle
this for you. For example, with ActiveRecord you can write

n = gets.chomp
Customer.find(:all, :conditions => ["name = ?", n])
or
n = gets.chomp
Customer.find(:all, :conditions => {:name => n})

and it will take care of all the SQL building and escaping for you.
--
Posted via http://www.ruby-forum.com/.

.

Relevant Pages

  • Re: OO vs. RDB challenge
    ... Lets say you have a list of customers ... Layer 1. ... SQL might help with Layer 1 ... SQL might help with Layer 2 but only if the query is simple enough. ...
    (comp.object)
  • Re: Modifying Data Directly through Studio Manager
    ... 'tool' to allow your customers to manage their data. ... I've seen people comment on turned on the query pane, ... Many of my customers are starting to upgrade to SQL 2005, ... Isaac Shloss, MCSE ...
    (microsoft.public.sqlserver.tools)
  • Re: Modifying Data Directly through Studio Manager
    ... Because business decision choose to allow this doesn't mean that it isn't an ... 'tool' to allow your customers to manage their data. ... I've seen people comment on turned on the query pane, ... Many of my customers are starting to upgrade to SQL 2005, ...
    (microsoft.public.sqlserver.tools)
  • Re: LinqToSql Paging problem (bug?) with Skip and Take
    ... index as a default sort [assuming it can pick one from the numerous ... in a join query, I'll have to contend with unstable row order. ... reliable then they should really generate row-order preserving sql ... Sort customers on country, then page over customers ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Jet SQL and Virtual tables/subqueries qiestions
    ... Perahps we've begin to uncover some bugs in the Access query ... If you PASTE SQL test in the following format into the SQL window ... around a field or table name within the VirtTbl1 subquery, ... I would think that producing a correct error message for that sort of query ...
    (microsoft.public.access.queries)