[Solar-talk] Patch for Solar_Content_Abstract
Mike Naberezny
mike at naberezny.com
Mon Oct 2 20:03:44 PDT 2006
Travis Swicegood wrote:
> But that doesn't fix the larger issue, that all integers that are passed
> through the quoting mechanisms will (may?) not work properly. The long
> term solution is to fix the SQL escaping to look to is_numeric() or some
> other similar function to figure out if it should be escaped.
I use ActiveRecord (from Ruby on Rails) with success on both MySQL and SQLite
so I took a look at its source code to see how it handles this issue:
http://dev.rubyonrails.org/browser/trunk/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
It does as you suggest and does not quote numerics when building SQL. If
given a numeric object type, ActiveRecord passes it without quoting. If given
a string but the destination column type is numeric, ActiveRecord first casts
the string to numeric and then passes it without quoting. Obviously, the
latter case requires knowledge of the table schema.
Solar may want to adopt the same handling if there are cases where it can't
use bound parameters and must quote. Binding would be the best practice.
> Anyone have any comments on this? There's a bug open at in Trac:
> http://solarphp.com/trac/ticket/10
In digging through the SQLite adapter for ActiveRecord, I found that it
handles an issue with COUNT(DISTINCT) that you may also want to intercept in
your adapter:
http://dev.rubyonrails.org/browser/trunk/activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb#L349
Regards,
Mike Naberezny
More information about the solar-talk
mailing list