On 8 Sep 2008, at 11:56, mohdanas wrote:
>
> Hi There,
>
> I'm gettings the following errors while accessing my application.
> Can someone please tell what is the possible cause and can it
> be resolved.
> "
> ActiveRecord::StatementInvalid in Site#showalladdress
>
> Showing site/showalladdress.rhtml where line #3 raised:
> Mysql::Error: #42000You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near 'and enabled='1'' at line 1: select * from
> addresses where typeid=2 and customerid= and enabled='1'
>
Because you've generated invalid sql: "customerid= and"
which you've done because you're using find_by_sql without checking
all the things you're interpolating (and exposing yourself to sql
injection in the process)
find_by_sql is completely unnecessary in this case
Fred
>
> Extracted source (around line #3):
> 1: Select Customer Address<br />
> 2:
> 3: <%=collection_select "address", :id, Address.find_by_sql("select *
> from addresses where typeid=#{params[:id]} and
> customerid=#{session[:customerid]} and enabled='1'"), :id, :address,
> {},
> {:onchange
> =
> >
> "showcompletedetails
> ()", :onclick
> =>remote_function(:update=>"", :url=>{:action=>"setaddress"},:with
> => "'id=' + $
> ('address_id').value"),:size=>"5",:class=>"dropdown",:style=>"width:
> 100%;border:1px solid #0099cc;" }%>
> "
>
>
> Thanks
>
> Mohd Anas
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
