Please see documentation for "h" (html escape) and "sanitize" in rails documentation - might be of some help. From Rails 3, I hear, html will be escaped automatically. Also see this: http://railspikes.com/2008/1/28/auto-escaping-html-with-rails
Thanks, Abhinav -- अभिनव http://twitter.com/abhinav On Mon, Sep 7, 2009 at 11:23 AM, Salil Gaikwad < [email protected]> wrote: > > Hi All, > > What is the best way for the sql injectioning. > > I have problem with field named "name" that if we enter improper value > like salil's system get crashed. it gives error Mysql::Error: You have > an error in your SQL syntax; check the manual that corresponds to your > MySQL server version for the right syntax to use near 's' and > parent_id= 21) LIMIT 1 at line 1: SELECT * FROM `categories` WHERE > (name='salil's' and parent_id= 21) LIMIT 1 > > how to avoid that i wwant either of this two > 1] user cannot create category with special characters like ' , < > > 2] if user enter name with special characteres system shouldn't get > crashed for any situation. > > Thanks & Regards, > > Salil Gaikwad > -- > Posted via http://www.ruby-forum.com/. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
