Hi,
I often find in my code, that it is more convenient to build the condition for a find into a variable before calling the find method. This can allow parts of the condition to be built up in stages often dependant upon other conditions.
I am not sure what exactly takes place in the Rails code to eliminate the risk of sql injection attacks when the condition parameters are passed in a hash as recommended. eg.
Booking.find(:first, :conditions=>['bookingref_id = :bid', {:bid=>@bref.id}])
My question therefore is that if I do this instead of the above:
cond=['bookingref_id = :bid', {:bid=>@bref.id}]
Booking.find(:first, :conditions=>cond)
Do I still get protection from sql injection attacks.
The main difference as far as I can see is that @bref.id is evaluated and saved into :bid when cond is first assigned. Now it could be that this messes up the checks that are made in the find method But with my rather limited knowledge, it would seem to me that there is no difference since I would think that in the first example, @bref_id is evaluated and assigned to :bid at the point when find is actually called, and therefore what the find method itself would see would be exactly the same.
I would be grateful if someone more elightened than me could confirm if my assumption is correct, or if what I am doing is dangerous?
Many Thanks Tonypm
