Activerecord User-Supplied Column Name

ActiveRecord user-supplied column name

To prevent sql injection, you should validate the column is a valid one

valid_cols = ["c1", "c2"]
valid_cols.include?(column) or raise "Bad query"

Then you can just use the query interface as before

Model.where("#{column} >= ?", min)

Rails - Cannot write unknown attribute for single-sided reference

The model that has the "other_model_id" column has to declare a "belongs_to" relationship, not a "has_one" relationship. Change your code to belongs_to :subject

Check the rails guides https://guides.rubyonrails.org/association_basics.html#choosing-between-belongs-to-and-has-one

EDIT: FYIO, you don't need those @subject = Subject.find(params[:product][:subject_id] and @product.subject = @subject lines, the new already handles that if you permit the :subject_id param on product_params

What is causing this ActiveRecord::ReadOnlyRecord error?

Rails 2.3.3 and lower

From the ActiveRecord CHANGELOG(v1.12.0, October 16th, 2005):

Introduce read-only records. If you call object.readonly! then it will
mark the object as read-only and raise
ReadOnlyRecord if you call
object.save. object.readonly? reports
whether the object is read-only.
Passing :readonly => true to any
finder method will mark returned
records as read-only. The :joins
option now implies :readonly, so if
you use this option, saving the same
record will now fail. Use find_by_sql
to work around.

Using find_by_sql is not really an alternative as it returns raw row/column data, not ActiveRecords. You have two options:

  1. Force the instance variable @readonly to false in the record (hack)
  2. Use :include => :card instead of :join => :card

Rails 2.3.4 and above

Most of the above no longer holds true, after September 10 2012:

  • using Record.find_by_sql is a viable option
  • :readonly => true is automatically inferred only if :joins was specified without an explicit :select nor an explicit (or finder-scope-inherited) :readonly option (see the implementation of set_readonly_option! in active_record/base.rb for Rails 2.3.4, or the implementation of to_a in active_record/relation.rb and of custom_join_sql in active_record/relation/query_methods.rb for Rails 3.0.0)
  • however, :readonly => true is always automatically inferred in has_and_belongs_to_many if the join table has more than the two foreign keys columns and :joins was specified without an explicit :select (i.e. user-supplied :readonly values are ignored -- see finding_with_ambiguous_select? in active_record/associations/has_and_belongs_to_many_association.rb.)
  • in conclusion, unless dealing with a special join table and has_and_belongs_to_many, then @aaronrustad's answer applies just fine in Rails 2.3.4 and 3.0.0.
  • do not use :includes if you want to achieve an INNER JOIN (:includes implies a LEFT OUTER JOIN, which is less selective and less efficient than INNER JOIN.)

Related Topics

What Does a Single Splat/Asterisk in a Ruby Argument List Mean

Ruby Spreadsheet Row Background Color

Accessing Module Methods with ::

Ruby: Syntax for Defining a Constant Inside a Struct

Conditional Page Caching [Solution: Conditional Fragment Caching]

Instance_Eval's Block Argument(S)- Documented? Purpose

Configuring Gems in Eclipse

Ruby Installation (2.2.2) Fails in MACos Big Sur

Ruby: Overriding the Puts Method

If 'Self' Is Always the Implied Receiver in Ruby, Why Doesn't 'Self.Puts' Work

How to Compare Private Attributes in Ruby

Single Quote String String Interpolation

Get Instance Variable Name from Itself in Ruby

Error: "Fatal: I Don't Handle Protocol ''Git' When Using Bundle Install

When I Do "Bundle Update", I Get an Error from a Gem Not in My Gemfile. How to Ignore This Dependency

Detect When a Devise Session Expires

Sqlite3 Gem for Rails 3.1

Flash Message with HTML_Safe from the Controller in Rails 4 (Safe Version)


Leave a reply



Submit