Rails - Apr 2005 - problem with passing a parameter to a condition

Hi, 
I''m totally new to rails. I''m trying to populate data from
mysql. I''ve
got a problem when it comes to passing a parameter in a condition (for 
find_all). Definitions in a controller are as follow: 


def list 
    @cf_categories = CfCategory.find_all  "cParent =
''0''"
end 


def subcat 
        @subcats = CfCategory.find_all cParent = @params["id"] 
end 


and I don''t know how to declare the condition in the second definition 
(cParent = @params["id"]). I''ve also checked that the id is
being
passed from the list def to the subcat. 


Can anybody help me? 


Thanks.

> and I don''t know how to declare the condition in the second
definition
> (cParent = @params["id"]). I''ve also checked that the id
is being
> passed from the list def to the subcat.
I think you''re looking to do this:

@subcats = CfCategory.find_all "cParent = #{@params["id"]}"

This is the Ruby way of putting the value of a variable inside a
string (rather than the name of the variable).

You could also do this:

@subcats = CfCategory.find_all "cParent = " +
@params["id"].to_s

Duane Johnson
(canadaduane)

On Apr 8, 2005 4:18 PM, Duane Johnson
<duane.johnson-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> @subcats = CfCategory.find_all "cParent =
#{@params["id"]}"
You *COULD* do that, but that''s the ugly, EVIL way of doing it that
opens you up to SQL injection attacks. What you really want to do is
this:

@subcats = CfCategory.find_all [ "cParent = ?",
@params["id"] ]
> @subcats = CfCategory.find_all "cParent = " +
@params["id"].to_s
This is also bad, and for the same reason. 

I think this might also work, but I''m not entirely sure:

@subcats = CfCategory.find_all_by_cparent @params["id"]

(though that might need to be "find_all_by_c_parent" instead, not
sure)

-- 
Urban Artography
http://artography.ath.cx

I know,  this question might sound strange - but this looks very 
suspicious to me (quite like a potential SQL injection).

On 9-apr-05, at 0:18, Duane Johnson wrote:
>
> I think you''re looking to do this:
>
> @subcats = CfCategory.find_all "cParent =
#{@params["id"]}"
>
--
Julian "Julik" Tarkhanov

On Apr 10, 2005 11:32 AM, Julian ''Julik'' Tarkhanov
<listbox-RY+snkucC20@public.gmane.org> wrote:
> I know,  this question might sound strange - but this looks very
> suspicious to me (quite like a potential SQL injection).
> 
> On 9-apr-05, at 0:18, Duane Johnson wrote:
> >
> > I think you''re looking to do this:
> >
> > @subcats = CfCategory.find_all "cParent =
#{@params["id"]}"
Yeah,  it is insecure you want
@subcats = CfCategory.find_all(["cParent = ?",
@params["id"]])
> --
> Julian "Julik" Tarkhanov
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Cheers

Koz