You could do something like this:

Address.find(:all, :conditions => ['? LIKE ?',
Address.connection.quote_column_name("last_name"), "Luehr" ])

It's a bit more verbose, but I think it should work.

Michael

On Sat, May 23, 2009 at 8:15 AM, Jan Lr <usenet / stephan.homeunix.net> wrote:
> Hello,
>
> I'm developing a search functionality (as part of a RoR-App) and I was
> wonderinger: Is there a way to sanitize column-names for security?
>
> For values, there are prepared statements like:
>
> Address.find(:all, :conditions => ['last_name LIKE ?',"Luehr" ])
>
> But for column-names, it doesn't work:
> Address.find(:all, :conditions => ['? LIKE ?',"last_name","Luehr" ])
>
> Creates:
> SELECT * FROM `addresses` WHERE ('last_name' LIKE 'Luehr')
> (last_name is uses as a string here)
>
> I looked for escaping methods but I just got DBMS specfic ones like
> Mysql::escape_string()
>
> Do you know a generic escaping method?
>
> Thanks in advance,
> Keep smiling
> yanosz
>
>