On Fri, 21 Aug 2009 06:48:24 -0700 MilesTogoe <[email protected]> wrote:
> does the newer way of specifying queries provide any html escaping > protection vs the older way of specifying conditions, ie: > accts = Account.all(:active => true) > accts = Account.first(:name => 'Ruby') > I'm not sure what you mean by 'newer', since the way of querying you describe there has been in DM since ... well, all of 0.9.x and I think before. I'm also going to assume you mean SQL, not HTML. But yes, if you use all() and first() with :symbol_keys as in your examples (or :conditions with ? placeholders in the string), then all your parameters get bound or otherwise appropriately escaped to protect you from SQL injection. The same also applies to resources persisted through create(), save() and update(). Regards, Jon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "DataMapper" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/datamapper?hl=en -~----------~----~----~----~------~----~------~--~---
