A couple of things:
1) You want to make sure you protect against SLQ injection, so do not
pass the variables without escaping them. Rails does this for you when
it substitutes the ? in the find method.
2) You can use the code below to do what you want.
Hope that helps,