http://www.robbyonrails.com/articles/2005/10/21/using-named-placeholders-in-ruby en-us 40 thoughts.sort_by{|t| t[:topic]}.collect <p><strong>Insert Hip Quote Here:</strong></p> <p><em>&#8220;In ancient times, hundreds of years before the dawn of history, an ancient race of people&#8230; the Druids. No one knows who they were or what they were doing&#8230; &#8220;</em> &#8211; Nigel Tufnel, Spinal Tap</p> <p><strong>Story Time&#8230;</strong></p> <p>Earlier, I was giving a customer of ours, Jared from <a href="http://www.communitywalk.com">CommunityWalk.com</a> a quick tutorial on some of the features script/console&#8230; which lead to helping him with a <span class="caps">SQL</span> query. When I provided him with some working code he was curious about what I had done in the <span class="caps">SQL</span> query string that I was passing to <code>find_by_sql</code>.</p> <p><strong><span class="caps">WARNING</span></strong></p> <p>If you have <span class="caps">ANY SQL</span> queries that resembles the following, <span class="caps">PLEASE READ THE REST OF THIS</span>. :-)</p> <div class="typocode"><pre><code class="typocode_ruby "><span class="ident">values</span> <span class="punct">=</span> <span class="ident">params</span><span class="punct">[</span><span class="symbol">:search</span><span class="punct">]</span> <span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">&quot;</span><span class="string">first_name = '<span class="expr">#{values['first_name']}</span>'</span><span class="punct">&quot;</span> <span class="punct">)</span></code></pre></div> <p>If you are doing that&#8230; then you are opening yourself up to some security problems. Let&#8217;s take a few minutes and discuss how you can make this more secure and still keep your code readable. (the best of both worlds!)</p> <p><strong>The ? Placeholder</strong></p> Many of you are probably familiar with this approach&#8230; <div class="typocode"><pre><code class="typocode_ruby "><span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">['</span><span class="string">first_name = ?</span><span class="punct">',</span> <span class="punct">'</span><span class="string">Nigel</span><span class="punct">']</span> <span class="punct">)</span> <span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">['</span><span class="string">first_name = ? AND last_name = ?</span><span class="punct">',</span> <span class="punct">'</span><span class="string">Nigel</span><span class="punct">',</span> <span class="punct">'</span><span class="string">Tufnel</span><span class="punct">']</span> <span class="punct">)</span></code></pre></div> <p>You can pass it a hash as well.. and as long as you put everything in the same order as the <code>?</code>s are placed&#8230; then all is well.</p> <p>My only real problem with this approach is that it requires you to keep things in a specific sequential order&#8230; and who wants to keep track of that? So, I would like to recommend that you use named placeholders. Aside from that, it looks magical and I don&#8217;t like magical-looking code. I like <em>easy to read code</em>. :-)</p> <p><strong>Named Placeholders</strong></p> <p>If you already use these&#8230; you know how useful they can be in your <span class="caps">SQL</span> queries. If you haven&#8217;t seen them before&#8230; it&#8217;s because the Rails docs don&#8217;t really mention it and is something that comes from the underlying database library in Ruby. So what is so great about these?</p> Let&#8217;s first replace the above code with named parameters&#8230; <div class="typocode"><pre><code class="typocode_ruby "><span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">['</span><span class="string">first_name = :first_name</span><span class="punct">',</span> <span class="punct">{</span> <span class="symbol">:first_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Nigel</span><span class="punct">'</span> <span class="punct">}</span> <span class="punct">]</span> <span class="punct">)</span></code></pre></div> <p>We are passing a hash with a matching key to the conditions option. Pretty neat, right? In this case with just one placeholder we just increased the amount of code to do the same thing. So, it might always be the best solution&#8230; but it is <em>easier to read</em>.</p> <p>Let&#8217;s try another with multiple keys in our hash&#8230; infact, we&#8217;ll build the hash prior to calling <code>find</code>.</p> <div class="typocode"><pre><code class="typocode_ruby "><span class="ident">values</span> <span class="punct">=</span> <span class="punct">{</span> <span class="symbol">:first_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Nigel</span><span class="punct">',</span> <span class="symbol">:last_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Tufnel</span><span class="punct">'}</span> <span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">['</span><span class="string">first_name = :first_name AND last_name = :last_name</span><span class="punct">',</span> <span class="ident">values</span> <span class="punct">]</span> <span class="punct">)</span></code></pre></div> <p>It will happily match the hash keys to the named placeholders in the conditions string. Again, nothing terribly exciting&#8230;but it is <em>easier to read</em>.</p> <p><strong>Who cares about order? Not named placeholders!</strong></p> <p>Okay, let&#8217;s mix things up a bit&#8230;</p> <div class="typocode"><pre><code class="typocode_ruby "><span class="ident">values</span> <span class="punct">=</span> <span class="punct">{</span> <span class="symbol">:last_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Tufnel</span><span class="punct">',</span> <span class="symbol">:first_name</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Nigel</span><span class="punct">'</span> <span class="punct">}</span> <span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">['</span><span class="string">first_name = :first_name AND last_name = :last_name</span><span class="punct">',</span> <span class="ident">values</span> <span class="punct">]</span> <span class="punct">)</span></code></pre></div> <p>The hash keys were not added in the same order&#8230; but it still works!</p> <p>Okay, now for one last quick example (it&#8217;s late and I am tired&#8230;).</p> <p>I have a search mechanism on a site that allows you to search for a string of text across multiple fields. So, I have one string&#8230; but several fields to compare against.</p> Here is a string that I will pass to the <code>find</code> method. <div class="typocode"><pre><code class="typocode_ruby "><span class="ident">conditions</span> <span class="punct">=</span> <span class="punct">&quot;</span><span class="string">role = :role AND (first_name ~* :str OR last_name ~* :str OR nick_name ~* :str)</span><span class="punct">&quot;</span></code></pre></div> <p><strong>Note</strong>: this string is using <a href="http://rubyurl.com/DYE">PostgreSQL regular expressions</a>... (<code>~*</code>).</p> <p>Here is a hash that with that matches the keys, <code>:str</code> and <code>:role</code></p> <div class="typocode"><pre><code class="typocode_ruby "><span class="ident">values</span> <span class="punct">=</span> <span class="punct">{</span> <span class="symbol">:str</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">^(Nigel|Tufnel)$</span><span class="punct">',</span> <span class="symbol">:role</span> <span class="punct">=&gt;</span> <span class="punct">'</span><span class="string">Guitar</span><span class="punct">'</span> <span class="punct">}</span></code></pre></div> <p>If you look above, you&#8217;ll see that the <code>conditions</code> string contains <strong>four</strong> named placeholders&#8230; but the hash only has <strong>two</strong> keys. With the <code>?</code> placeholder, we would have to pass the same vaule three times&#8230; which isn&#8217;t any fun to read or maintain. ;-/</p> <p>So, with our new friends, <strong>named parameters</strong>, we can call <code>find</code> (or any find-like method) using this technique for placeholders.</p> <div class="typocode"><pre><code class="typocode_ruby "><span class="constant">RockLegend</span><span class="punct">.</span><span class="ident">find</span><span class="punct">(</span> <span class="symbol">:all</span><span class="punct">,</span> <span class="symbol">:conditions</span> <span class="punct">=&gt;</span> <span class="punct">[</span> <span class="ident">conditions</span><span class="punct">,</span> <span class="ident">values</span> <span class="punct">]</span> <span class="punct">)</span></code></pre></div> <p>...and hopefully this is useful to you. :-)</p> <p>Have fun!</p> Fri, 21 Oct 2005 00:53:00 -0500 urn:uuid:4ffd337b75c41f3b73433e7919ddca5e Robby Russell http://www.robbyonrails.com/articles/2005/10/21/using-named-placeholders-in-ruby Ruby on Rails Ruby Programming PostgreSQL activerecord rails ruby postgresql <p>Wow. Thanks.</p> Sun, 27 Aug 2006 03:34:26 -0500 urn:uuid:bd472e06-8002-425e-b173-5c4c946c91d6 http://www.robbyonrails.com/articles/2005/10/21/using-named-placeholders-in-ruby#comment-21873 <p>Great post. Very useful! Thank you.</p> Fri, 25 Aug 2006 15:45:38 -0500 urn:uuid:16b1a89d-83fe-4210-8f74-6bfbd5f16e41 http://www.robbyonrails.com/articles/2005/10/21/using-named-placeholders-in-ruby#comment-21866