find

Jason_Roelofs · November 16, 2007, 5:29pm

Try:

User.find(:all, :conditions => [“role = ? and first LIKE A%”, params[:user][:role]] )

Just a warning, what you’ve got now has an SQL injection attack. Think about what happens if someone posts the following:

params[user[role]]=“name; DROP TABLE users; --”

What I’ve posted properly sanitizes the input so this can’t happen.

Jason

Rick_DeNatale · November 16, 2007, 6:57pm

rab · November 16, 2007, 7:40pm

Your problem isn't too many parentheses, it is too few quotes. Try either of these:

@users = User.find(:all, :conditions => ["role = ? and first LIKE 'A%'", params[:role]] )

or

@users = User.find(:all, :conditions => ["role = ? and first LIKE ?", params[:role], 'A%'] )

-Rob

Rob Biedenharn http://agileconsultingllc.com Rob@AgileConsultingLLC.com

Topic		Replies	Views
find conditions question rubyonrails-talk	8	109	September 21, 2006
validating the whole app against dangerous characters rubyonrails-talk	0	108	November 7, 2006
Could someone tell me if the query is secure rubyonrails-talk	2	122	October 29, 2009
how to SQL-escape user input/do SQL-LIKE thru AR? rubyonrails-talk	1	165	May 8, 2007
find results help!!! rubyonrails-talk	3	112	June 29, 2007