ActiveRecord::StatementInvalid Error

Hi There,

I'm gettings the following errors while accessing my application. Can someone please tell what is the possible cause and can it be resolved. " ActiveRecord::StatementInvalid in Site#showalladdress

Showing site/showalladdress.rhtml where line #3 raised: Mysql::Error: #42000You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and enabled='1'' at line 1: select * from addresses where typeid=2 and customerid= and enabled='1'

Extracted source (around line #3): 1: Select Customer Address<br /> 2: 3: <%=collection_select "address", :id, Address.find_by_sql("select * from addresses where typeid=#{params[:id]} and customerid=#{session[:customerid]} and enabled='1'"), :id, :address, {}, {:onchange=>"showcompletedetails()", :onclick=>remote_function(:update=>"", :url=>{:action=>"setaddress"},:with => "'id=' + $ ('address_id').value"),:size=>"5",:class=>"dropdown",:style=>"width: 100%;border:1px solid #0099cc;" }%> "

Thanks

Mohd Anas

Hi There,

I'm gettings the following errors while accessing my application. Can someone please tell what is the possible cause and can it be resolved. " ActiveRecord::StatementInvalid in Site#showalladdress

Showing site/showalladdress.rhtml where line #3 raised: Mysql::Error: #42000You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and enabled='1'' at line 1: select * from addresses where typeid=2 and customerid= and enabled='1'

Because you've generated invalid sql: "customerid= and"

which you've done because you're using find_by_sql without checking
all the things you're interpolating (and exposing yourself to sql
injection in the process) find_by_sql is completely unnecessary in this case

Fred