Salil Gaikwad wrote:
> Category.find(:first, :conditions=>["name= ? and "+query, self.name ])
Maybe you typed this wrong, but using the string "name =? and" + query
still looks BAD to me. If "query" could possible contain any user input
then it is still not sanitized against SQL Injection.
When the following form is used:
:conditions => ["name = ? and parent_id = ?", a, b]
Rails will sanitize a and b while substituting them for the ?
placeholders.
Rails also properly sanitizes when using hashes for the :conditions:
:conditions => { :name => a, :parent_id => b }
Rule of thumb: Never directly concatenate to a SQL fragment when there
is any possibility that user provided input might be involved.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
