ActiveRecord::StatementInvalid Error

Hi There,

I'm gettings the following errors while accessing my application.
Can someone please tell what is the possible cause and can it
be resolved.
"
ActiveRecord::StatementInvalid in Site#showalladdress

Showing site/showalladdress.rhtml where line #3 raised:
Mysql::Error: #42000You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'and enabled='1'' at line 1: select * from
addresses where typeid=2 and customerid= and enabled='1'

Extracted source (around line #3):
1: Select Customer Address<br />
2:
3: <%=collection_select "address", :id, Address.find_by_sql("select *
from addresses where typeid=#{params[:id]} and
customerid=#{session[:customerid]} and enabled='1'"), :id, :address,
{},
{:onchange=>"showcompletedetails()", :onclick=>remote_function(:update=>"", :url=>{:action=>"setaddress"},:with
=> "'id=' + $
('address_id').value"),:size=>"5",:class=>"dropdown",:style=>"width:
100%;border:1px solid #0099cc;" }%>
"

Thanks

Mohd Anas

Hi There,

I'm gettings the following errors while accessing my application.
Can someone please tell what is the possible cause and can it
be resolved.
"
ActiveRecord::StatementInvalid in Site#showalladdress

Showing site/showalladdress.rhtml where line #3 raised:
Mysql::Error: #42000You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'and enabled='1'' at line 1: select * from
addresses where typeid=2 and customerid= and enabled='1'

Because you've generated invalid sql: "customerid= and"

which you've done because you're using find_by_sql without checking
all the things you're interpolating (and exposing yourself to sql
injection in the process)
find_by_sql is completely unnecessary in this case

Fred