The example from the api for has_many looks like:
has_many :subscribers, :class_name => "Person", :finder_sql => 'SELECT DISTINCT people.* ' + 'FROM people p, post_subscriptions ps ' + 'WHERE ps.post_id = #{id} AND ps.person_id = p.id ' + 'ORDER BY p.first_name'
Notice the interpolation: #{id}
Is this escaped, or is it vulnerable to sql injection? Is there a syntax that allows something like WHERE ps.post_id = ? If so, what is it? My attempts so far don't work.
The example from the api for has_many looks like:
has_many :subscribers, :class_name => "Person", :finder_sql => 'SELECT DISTINCT people.* ' + 'FROM people p, post_subscriptions ps ' + 'WHERE ps.post_id = #{id} AND ps.person_id = p.id ' + 'ORDER BY p.first_name'
Notice the interpolation: #{id}
Is this escaped, or is it vulnerable to sql injection? Is there a syntax that allows something like WHERE ps.post_id = ? If so, what is it? My attempts so far don't work.
Don't know, but at a minimum you could change it to #{id.to_i} to force it to return an integer value...
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks