I am trying to get rows from mysql in rails by following query.I am trying first it on console.But this is not working,please help me.
name="vikash"
List=User.find_by_sql["SELECT * from users where name like ?",%#{name}%]
A small mistake in your query.
Space after find_by_sql and name interpolation should be done with double quote.
name = "vikash"
list = User.find_by_sql ["SELECT * from users where name like ?", "%#{name}%"]
Check below links for details
http://www.w3schools.com/sql/trysql.asp?filename=trysql_select_like
http://apidock.com/rails/ActiveRecord/Querying/find_by_sql
Hope this will help you...
Do not put variable directly into the conditions string will pass the variable to the database as-is. This means that it will be an unescaped variable directly from a user who may have malicious intent.
You can check in console by name = "vikash'" and query with the query shown by #sanju
User.find_by_sql("SELECT * from users where name like '%#{name}%'")
And see the difference how malicious characters are escaped by querying with
list = User.find_by_sql ["SELECT * from users where name like ?", "%#{name}%"]
For further information visit:
http://guides.rubyonrails.org/active_record_querying.html
https://railsguide.wordpress.com/2016/03/02/sanitizing-user-input-while-quering/
Try updating your find_by_sql to the following:
User.find_by_sql(["SELECT * from users where name like ?", "%#{name}%"])
use this code:
list= User.find_by_sql("SELECT * from users where name like '%#{name}%'")
Try this query
User.find_by_sql("SELECT * from users where name like '%#{name}%'")
Related
From a rest API URL, I'm receiving a user ID that looks like this: 58988e75c918f5bd5804afd6.
The database has the user name stored in the name field in the format:
58988e75c918f5bd5804afd6 John.
My current SQL query to fetch this record is:
$sql = 'SELECT * FROM users WHERE name LIKE :term';
$result = db_query($sql, array(':term' => db_like($userid)));
$existingUser = $result->fetchObject();
With the current SQL query, even if I supply the partial user ID(58988e75c918f5bd5804), it seems to fetch the John row, which is not something I expect to happen. How to fix the query so that it exactly matches the user ID containing John?
Expected result: No records to be retrieved since the user id did not match exactly.
Update: I fetch the records and then do a substring replace to update the record in the Drupal table.
Note: Feel free to modify the sql query to get the expected result, neednt use LIKE
Use a space in your like term:
Include space in mysql like search
$sql = 'SELECT * FROM users WHERE name LIKE ":term "';
$result = db_query($sql, array(':term' => db_like($userid)));
$existingUser = $result->fetchObject();
Better validate the string size with PHP and then perform mysql like. As you are using same encryption style you will get same number of characters encrypted so.
I am using spring and hibernate in my project. This is My Query. When I execute this query I am getting data from DB. But if I frame the query like this I am getting 0 records.
String fullname1 = "this is my String";
select name,gender from account where fullname='fullname1';
If I create query like this I am getting data. But fullname1 is not a static data.
select name,gender from account where fullname like '%this%';
Problem is if my fullname1 is have only one word then I am getting proper data. If it has multiple words I am not getting data.
Can any one suggest me how to frame query in this situation.
Try to concatenate your string to search like this
select name,gender from account where fullname like '%' + yourVariable + '%';
Assuming yourVariable is containing the string which you want to search.
EDIT:
As confirmed by OP in comments the query which worked for him/her is:
select name,gender from account where fullname='" + fullname1+ "'";
Also your query is prone to SQL Injection. So it is better to use Prepared statement.
Hi i have trying to do a query, that receives the value on a querystring, but is not working i think the query it self is no good. could you help me?
So i receive the query on
<%String detalhe = request.getParameter("value");%>
I wont put connections and stuff, because they work with other querys, so the problem are not the connections.
// sql query to retrieve values from the specified table.
String QueryString = "SELECT * FROM ebooko.dadoslivros WHERE Autor LIKE '%"+detalhe+"%'
OR ano LIKE '%"+detalhe+"%'";;
rs = statement.executeQuery(QueryString);
It simply cannot retrive the value, i'm querying.
Adicional info:
Table: dadoslivros
Columns that i need to compare the value: Autor, ano.
for example when i run the Href the value that is passed is: Jules%Verne (i gess it changes SPACES with '%'.
Use URLDecoder#decode() to decode the parameters in the query string.
You should also consider using a PreparedStatement to prevent SQL injection attacks.
I solved it changing the query:
String QueryString = "SELECT * FROM dadoslivros WHERE (Data LIKE '%"+detalhe+"%') OR (Autor LIKE '%"+detalhe+"%')";;
maybe it can help another person ;)
I'm currently in hour two of this issue, I can't explain it so I will simply show what is going on. I don't know if this matters at all, but I am using the linkedIN API to retrieve a user's linkedIn unique ID.
In English, what I'm doing:
User Signs in with LinkedIn
I read-in user's LinkedIn ID (returned from the API)
If ID exists in database, say "hello", if not, show them a form to register
The issue I am having:
The following line works and properly returns the 1 user I have in the database with a linkedIn ID of OtOgMaJ2NM
$company_data = "SELECT * FROM s_user WHERE `LI_id` = 'OtOgMaJ2NM'";
The following query returns no results - using the same database with the same record in the table s_user:
$linkedIn_id = "<?js= id ?>";
echo $linkedIn_id;
The following code outputs OtOgMaJ2NM with no trailing spaces.
So far so good ... expcept when I run the query this time using the variable, no records are returned!
$company_data = "SELECT * FROM s_user WHERE `LI_id` = '$linkedIn_id'";
Further notes:
When I echo $company_data the same query is displayed when I use the variable as did when I used the plain text version of the query.
Anyone have ANY ideas?
Thanks,
Evan
I can only assume that when echoing variables it strips the tags, so when you're using it with the query you're actually saying:
$company_data = "SELECT * FROM s_user WHERE `LI_id` = '<?js= OtOgMaJ2NM ?>'";
I could be wrong, but have you tried stripping the tags from the variable?
If you send the variable between the "", the MySQL engine will search for $linkedIn_id literally and not for its content.
Seems you are using php, but I'm not sure about the right syntax. Take a look in the docs.
I have a name stored in the variable username and would like to pull users row information when I try
result = dbh.query("SELECT * FROM maintab WHERE user = '#{username}'")
I get no results. If I put in the username by hand however, it does return a result. How format my query so that I may use variables?
Try to debug this way:
username = "Peter" # any of your real name
result = dbh.query("SELECT * FROM maintab WHERE user = '#{username}'")
it should work. Looks like your username is nil or blank
Open up IRB and try to print what you have.
How does #{} behave with single quotes vs escaped double quotes?
That should answer your question.