A couple of things: 1) You want to make sure you protect against SLQ injection, so do not pass the variables without escaping them. Rails does this for you when it substitutes the ? in the find method.
2) You can use the code below to do what you want.
Hope that helps,
Alberto.