Hi all,
I would like to modify this find_by_sql to work using just the normal
find.
User.find_by_sql("SELECT * FROM users WHERE role = " +
params[:user][:role] + " and first LIKE A%")
this works, I just don''t like doing it this way. Thanks,
-S
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On Nov 16, 2007 12:24 PM, Shandy Nantz <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Hi all, > > I would like to modify this find_by_sql to work using just the normal > find. > > User.find_by_sql("SELECT * FROM users WHERE role = " + > params[:user][:role] + " and first LIKE A%") > > this works, I just don''t like doing it this way. Thanks, > > -S >Try: User.find(:all, :conditions => ["role = ? and first LIKE A%", params[:user][:role]] ) Just a warning, what you''ve got now has an SQL injection attack. Think about what happens if someone posts the following: params[user[role]]="name; DROP TABLE users; --" What I''ve posted properly sanitizes the input so this can''t happen. Jason --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Nov 16, 2007 12:29 PM, Jason Roelofs <jameskilton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> User.find(:all, :conditions => ["role = ? and first LIKE A%", > params[:user][:role]] ) > > Just a warning, what you''ve got now has an SQL injection attack. Think about > what happens if someone posts the following: > > params[user[role]]="name; DROP TABLE users; --" > > What I''ve posted properly sanitizes the input so this can''t happen.http://xkcd.com/327/ -- Rick DeNatale My blog on Ruby http://talklikeaduck.denhaven2.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jason Roelofs wrote:> > Try: > > User.find(:all, :conditions => ["role = ? and first LIKE A%", > params[:user][:role]] ) > > Just a warning, what you''ve got now has an SQL injection attack. Think > about > what happens if someone posts the following: > > params[user[role]]="name; DROP TABLE users; --" > > What I''ve posted properly sanitizes the input so this can''t happen. > > JasonThis find method gives the following error: Ryyerror: SELECT * FROM users WHERE (role = ''Traveler'' and first LIKE A%) Why is it putting the parens? This is my exact code: @users = User.find(:all, :conditions => ["role = ? and first LIKE A%", params[:role]] ) Thanks again, -S -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Nov 16, 2007, at 2:34 PM, Shandy Nantz wrote:> Jason Roelofs wrote: >> Try: >> >> User.find(:all, :conditions => ["role = ? and first LIKE A%", >> params[:user][:role]] ) >> >> Just a warning, what you''ve got now has an SQL injection attack. >> Think >> about >> what happens if someone posts the following: >> >> params[user[role]]="name; DROP TABLE users; --" >> >> What I''ve posted properly sanitizes the input so this can''t happen. >> >> Jason > > This find method gives the following error: > > Ryyerror: SELECT * FROM users WHERE (role = ''Traveler'' and first LIKE > A%) > > Why is it putting the parens? > > This is my exact code: > > @users = User.find(:all, :conditions => ["role = ? and first LIKE A > %", > params[:role]] ) > > Thanks again, > > -SYour problem isn''t too many parentheses, it is too few quotes. Try either of these: @users = User.find(:all, :conditions => ["role = ? and first LIKE ''A %''", params[:role]] ) or @users = User.find(:all, :conditions => ["role = ? and first LIKE ?", params[:role], ''A%''] ) -Rob Rob Biedenharn http://agileconsultingllc.com Rob-xa9cJyRlE0mWcWVYNo9pwxS2lgjeYSpx@public.gmane.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Shandy Nantz wrote:> > @users = User.find(:all, :conditions => ["role = ? and first LIKE A%", > params[:role]] )I got it, I was missing quotes: @users = User.find(:all, :conditions => ["role = ? and first LIKE ''A%''", params[:role]] ) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---