You'll want to look up the documentation for :conditions in ActiveRecord::Base. My guess is that the code you're using inserts parameters directly into a SQL fragment, which is bad bad bad.
--Matt Jones On Sep 7, 1:53 am, Salil Gaikwad <[email protected]> wrote: > Hi All, > > What is the best way for the sql injectioning. > > I have problem with field named "name" that if we enter improper value > like salil's system get crashed. it gives error Mysql::Error: You have > an error in your SQL syntax; check the manual that corresponds to your > MySQL server version for the right syntax to use near 's' and > parent_id= 21) LIMIT 1 at line 1: SELECT * FROM `categories` WHERE > (name='salil's' and parent_id= 21) LIMIT 1 > > how to avoid that i wwant either of this two > 1] user cannot create category with special characters like ' , < > > 2] if user enter name with special characteres system shouldn't get > crashed for any situation. > > Thanks & Regards, > > Salil Gaikwad > -- > Posted viahttp://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
