Sql injection


#1

hi,
I want to create an sql condition like “date=? AND
published=?”,date,published like I can do in :conditions=> hash. but
couldnt
find a method for doing it in a standalone string; I mean outside find
by
sql or :conditions. how can I do that?
thanks in advance


#2

Is this what you want?

sql = “date = #{date} AND published=#{published}”


#3

use methods ‘quote’ or ‘sanitize’


#4

I just got done reviewing some of the info in the ferret wiki. It looks
like
some great work - thanks!

I’m building an app that is going have some search capability and I was
planning
on using mysql with fulltext searches, but looking at ferret has got me
wondering if there might not be a better way.

Specifically, I was wondering about the idea of using an in memory index
for
increasing the speed of searches.

The data i’m storing will be most utilized when it is relatively new.
After it’s
a few days old, people won’t need it as much. So putting all this data
in the
same database may not make sense (if it’s relatively easy to split it
into
‘fresh’ and ‘stale’ databases).

Would it make sense to consider using an in-memory cache of documents
for the
newest data while having a disk-based index for when people want to
search for
older documents? Or would the performance gains not be worth the effort?

-kevin


#5

:conditions => [“date = ? and published = ?”, date, published]


#6

I wanted to mean, how can I make this replacement except using
:conditions.
outside the query.