Stanislav Orlenko wrote:> Hi
> I have a form on View and I have to construct condition for query
> depending fields which user filled in form.
> I should write something like:
>
> cond
> if params[par1]
> cond = " par1 = #{par1} "
>
> if params[par2]
> cond += " AND par2 = #{par2} "
>
NO! NEVER EVER DO THAT! You''re leaving yourself wide open to SQL
injection.
> etc....
>
> Client.all(:conditions => cond)
> ....
> ....
>
> May be someone know more rational way how to do it in RoR?
> Thanks in advance!
Well, conditions can take a hash, so how about
conditions = {}
[:p1, :p2, :p3].each do |p|
if params[p]
conditions[p] = params[p]
end
end
Client.all :conditions => conditions
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.