0

In my controller, I have this method:

def show
    @final =final_params
    allparams=''
    ActiveRecord::Base.connection.execute("USE database")
    ActiveRecord::Base.connection.execute("declare @p3 dbo.Params")
    @final.each do |key, value|
      allparams= "insert into @p3 values(N'""#{key}"+"'"++",N'"+"#{value}"+"')\n"
      ActiveRecord::Base.connection.execute(allparams)
    end
  end

But, I am facing the below error: 

TinyTds::Error: Must declare the table variable "@p3".: insert into @p3 values(N'a',N'aa')

In my above code @p3 is a table name parameter.

I am using SQL Server for database.

Improve this question
4
  • 1
    Possible duplicate of how to call stored procedure in ruby on rails? Commented Apr 28, 2018 at 14:12
  • I have changed my method so that I can execute SQL statements as below: def show @final =final_params allparams='' ActiveRecord::Base.connection.execute("USE database") ActiveRecord::Base.connection.execute("declare @p3 dbo.FormParams") @final.each do |key, value| allparams= "insert into @p3 values(N'""#{key}"+"'"++",N'"+"#{value}"+"')\n" ActiveRecord::Base.connection.execute(allparams) end end But now, I am facing the below error: TinyTds::Error: Must declare the table variable "@p3".: insert into @p3 values(N'a',N'aa') Commented Apr 28, 2018 at 15:09
  • Please update your question instead of including (or changing) details in the comments, it will be easier for everyone to understand your problem and more likely to receive a helpful answer. Commented Apr 28, 2018 at 15:14
  • Updated @Gerry. Thanks Commented Apr 28, 2018 at 16:35

2 Answers 2

Reset to default
1

#{@p3}, but this code looks like vulnerable to SQL-injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You need to interpolate the @p3 variable into the sql string assigned to allparams, like this:

@final.each do |key, value|
  allparams = "insert into #{@p3} values(N'""#{key}"+"'"++",N'"+"#{value}"+"')\n"
  ActiveRecord::Base.connection.execute(allparams)
end
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.