On Mar 15, 8:46 am, Michael Graff <[email protected]> wrote:
> With code like this:
>
> def advanced_search
> $elementspro = params[:elementprovince]
> $elementstype = params[:elementstype]
> $elementsequipment = params[:elementsequipment]
> $elementdown = params[:elementdown]
> $elementstatus = params[:elementstatus]
> $elementapproval = params[:elementapproval]
> $elementteam = params[:elementteam]
> $elementstaffname = params[:elementstaffname]
> $frm_view_setup = params[:frm_view_setup]
> @tblpss_description_records = TblpssDescriptionRecord.paginate :page
> => params[:page], :conditions=>"province='" + $elementspro + "'" + "or
> type_of_job='" + $elementstype + "'" +
> "or equipment_part='" + $elementsequipment + "'" + "or sitedown='" +
> $elementdown + "'" + "or job_status='" + $elementstatus + "'" +
> "or job_status='" + $elementapproval + "'" + "or team_on_job='" +
> $elementteam + "'" + "or RecorderName='" + $elementstaffname + "'",
> :order => 'jobNo ASC', :per_page => $per_page
> end
>
> you might as well post your database password in public. This is
> dangerous code. It allows SQL injection.
>
> It's pretty clear you come from a PHP world. I suggest you read a few
> books on Ruby programming, and google a bit for "rails sql injection."
> Your code is a security nightmare.
==============================
Hi Mr. Michael Graff
thank a million for your advice.but I want to use ruby on rail
because I just use it in LAN only,my advanced search is the same
http://bitnami.org/advanced_search.they worked in ruby on rails too.I
try the best to do like that but I still get fails.now i will show you
abit with my code in controller
def view_detail_job_setup
if request.get?
elementdowns = params[:elementdown]
elementstatus = params[:elementstatus]
@tblpss_description_records = []
for elmdown in elementdowns
case elmdown
when "ALL"
@tblpss_description_records =
TblpssDescriptionRecord.paginate :page => params[:page], :order =>
'jobNo ASC', :per_page => $per_page
break
when "YES"
@tblpss_description_records =
TblpssDescriptionRecord.paginate :page => params
[:page], :conditions=>"sitedown='" + elmdown + "'", :order => 'jobNo
ASC', :per_page => $per_page
break
when "NO"
@tblpss_description_records =
TblpssDescriptionRecord.paginate :page => params
[:page], :conditions=>"sitedown='" + elmdown + "'", :order => 'jobNo
ASC', :per_page => $per_page
break
else
@tblpss_description_records =
TblpssDescriptionRecord.paginate :page => params
[:page], :conditions=>"sitedown='YES' and sitedown='NO'", :order =>
'jobNo ASC', :per_page => $per_page
break
end
end
end
end
So can you give your advice to me more about it?
thank in advance
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
