Find

snantz · November 16, 2007, 6:24pm

Hi all,

I would like to modify this find_by_sql to work using just the normal
find.

User.find_by_sql(“SELECT * FROM users WHERE role = " +
params[:user][:role] + " and first LIKE A%”)

this works, I just don’t like doing it this way. Thanks,

-S

snantz · November 16, 2007, 6:30pm

On Nov 16, 2007 12:24 PM, Shandy N.
[email protected]
wrote:

-S

Try:

User.find(:all, :conditions => [“role = ? and first LIKE A%”,
params[:user][:role]] )

Just a warning, what you’ve got now has an SQL injection attack. Think
about
what happens if someone posts the following:

params[user[role]]=“name; DROP TABLE users; --”

What I’ve posted properly sanitizes the input so this can’t happen.

Jason

snantz · November 16, 2007, 8:04pm

On Nov 16, 2007 12:29 PM, Jason R. [email protected] wrote:

User.find(:all, :conditions => [“role = ? and first LIKE A%”,
params[:user][:role]] )

Just a warning, what you’ve got now has an SQL injection attack. Think about
what happens if someone posts the following:

params[user[role]]=“name; DROP TABLE users; --”

What I’ve posted properly sanitizes the input so this can’t happen.

xkcd: Exploits of a Mom

Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

snantz · November 16, 2007, 8:41pm

On Nov 16, 2007, at 2:34 PM, Shandy N. wrote:

-S
Your problem isn’t too many parentheses, it is too few quotes. Try
either of these:

@users = User.find(:all, :conditions => [“role = ? and first LIKE ‘A
%’”, params[:role]] )

or

@users = User.find(:all, :conditions => [“role = ? and first LIKE ?”,
params[:role], ‘A%’] )

-Rob

Rob B. http://agileconsultingllc.com
[email protected]

snantz · November 16, 2007, 8:34pm

Jason R. wrote:

Try:

User.find(:all, :conditions => [“role = ? and first LIKE A%”,
params[:user][:role]] )

Just a warning, what you’ve got now has an SQL injection attack. Think
about
what happens if someone posts the following:

params[user[role]]=“name; DROP TABLE users; --”

What I’ve posted properly sanitizes the input so this can’t happen.

Jason

This find method gives the following error:

Ryyerror: SELECT * FROM users WHERE (role = ‘Traveler’ and first LIKE
A%)

Why is it putting the parens?

This is my exact code:

@users = User.find(:all, :conditions => [“role = ? and first LIKE A%”,
params[:role]] )

Thanks again,

-S

snantz · November 16, 2007, 8:41pm

Shandy N. wrote:

@users = User.find(:all, :conditions => [“role = ? and first LIKE A%”,
params[:role]] )

I got it, I was missing quotes:

@users = User.find(:all, :conditions => [“role = ? and first LIKE
‘A%’”,
params[:role]] )