What's New in Edge Rails: Convenient Finder Parameter Hashes

Posted by ryan
at 5:30 PM on Tuesday, June 06, 2006

There’s now a convenient way to call Active Record finder methods when the query is based solely on AND ed equality conditions.

Before:

Article.find(:all, :conditions => [ "author_id = ? and status = ?", @author.id, 'published' ], :limit => 10)

Now:

Article.find(:all, :conditions => { :author_id => @author.id, :status => 'published' }, :limit => 10)

Instead of having to finagle with the SQL string and the correct number of ? placeholders – we can now just pass in the hash of parameters which will be AND ed together to form the SQL query.

Ahh, that’s nice.

tags: rubyonrails, rails

Comments

Leave a response

  1. Jay FieldsMay 24, 2006 @ 07:27 AM
    small note: this only works with equality also.
  2. josh susserMay 24, 2006 @ 07:27 AM
    Hey, I like what you're doing with your What's New in Edge Rails series. I put a link to your blog up on Riding Rails so more people can find it.
  3. Joshua SierlesMay 24, 2006 @ 07:27 AM
    One approach to solve the above mentioned probles, using ruby blocks and overriden operators, can be found here: http://opensvn.csie.org/ezra/rails/plugins/dev/ez_where/
  4. SeanMay 24, 2006 @ 07:27 AM
    I have to admit that I was a little surprised when my feature suggestion that got rejected showed up as #1 on the "new features in edge rails" list.
  5. Terrell RussellMay 24, 2006 @ 07:27 AM
    Josh (the first), careful, you're going to give this kid a big head. "Nice":http://weblog.rubyonrails.com/articles/2006/06/07/whats-new-in-edge-rails Hi Ryan.
  6. Ryan DaigleMay 24, 2006 @ 07:27 AM
    Thanks for the pointer Josh (the first). And Terrell, my head is already unusually large so no harm done...
  7. Ryan DaigleMay 24, 2006 @ 07:27 AM
    Josh (the second): There's not yet a similar convenient syntax for ORs besides the standard

    :conditions => ['this = ? OR that =?', @this, @that]

  8. HamptonMay 24, 2006 @ 07:27 AM
    ---Strange--- The difference is discussion and politics in RailsCore. My first patch got rejected, then I got DHH to give me an answer on what kind of patch he would want and what behaviour he might expect, and the answer produced 5143. However, 4960 had several approaches which are all different and if I was a committer, I wouldn't know what to do with it. Also, it didn't have the mindshare backing of a committer or dhh. ---James--- No, the hash method still santizes the values passed in and is as safe from sql injection as the [string, val, val...] method. -hampton.
  9. Seth Thomas RasmussenMay 24, 2006 @ 10:16 AM
    Sweet... 'bout effin' time. :)
  10. DougMay 24, 2006 @ 10:16 AM
    That's great. Too bad I just spent a few hours hammering out a plugin to do the same thing. I guess I won't be releasing that one :-)
  11. Ryan DaigleMay 24, 2006 @ 10:16 AM
    James, the new way won't lead to SQL injection as the parameters are santized before being placed into the SQL string - as was done in the old way as well.

    From the changeset code comments:

    The array form is to be used when the condition input is tainted and requires sanitization. The string form can be used for statements that don't involve tainted data. The hash form works much like the array form, except only equality is possible.

  12. StrangeMay 25, 2006 @ 04:27 AM
    How this gets shot down: http://dev.rubyonrails.org/ticket/4960 But this gets accepted: http://dev.rubyonrails.org/ticket/5143
  13. Josh (a different one)May 25, 2006 @ 04:27 AM
    What if you need an 'or' connector instead? looks extremely nice, though. I admit that I tried doing this already, because it just sort of made sense that it would work. Nice to see someone actually making it work.
  14. HamptonMay 25, 2006 @ 04:27 AM
    As I've been playing around with ways to improve find, this was a simple straight-foreward approach that the rails core team liked, so we went with it and the patch is now in. Its fully my belief that AR::Base.find needs some serious thought as to ways to keep the SQL out and bring more semantic ruby in. There have been several approaches to bring in equality into semantic-find, but most of them have drawbacks and no one is settled yet on the Right Way to do it. Thoughts are absolutely welcome! What is the best syntax for showing greater than? Less than? Etc? I believe that there is a nice way to describe all of this without resorting to hand-written SQL with auto-quoting. But, at least this is an intermediary step in the right direction. Email me with thoughts and suggestions for how find should function! [email protected] -hampton.
  15. JamesMay 25, 2006 @ 04:27 AM
    I'm new to rails and was just reading 'Agile Web Development with Rails' concerning security, but doesn't the new (2nd) method lead to SQL injection?
  16. Piers CawleyJune 18, 2006 @ 04:46 PM
    Mmm... nice. And, on looking at the patch, it seems it should place nicely with scopes as well. Which is nice. In fact, it could even allow for a unification of the :create and :find keys in 'with_scope', which wouldn't suck either.