Toggleable sorting useing session variable?

Yup. SQL injection. params[:sort_by] could contain an SQL fragment.

Vish

@books = paginate :books, :order => [’?’, sort_by], :per_page => 10 ?

Vish

Hmm weird. Try a space after the ?, as in "? ".

Vish

What about “? DESC” or “? ASC” ? Trial and error (and script/console) is a good friend :slight_smile: Sadly I don’t have irb right now.

Vish

Vishnu Gopal wrote:

What about "? DESC" or "? ASC" ? Trial and error (and script/console) is a
good friend :slight_smile: Sadly I don't have irb right now.

Vish

>
>
> >Vishnu Gopal wrote:
> > Hmm weird. Try a space after the ?, as in "? ".
>
> That returns the same error:
>
> > SELECT * FROM books ORDER BY ? isbn LIMIT 0, 10
>
> I can't believe this paginate issue hasn't been covered somewhere! My
> searches only revealed that one thread posted above.
>
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>

------=_Part_45211_14470071.1165240866527
Content-Type: text/html; charset=ISO-8859-1
X-Google-AttachSize: 982

What about &quot;? DESC&quot; or &quot;? ASC&quot; ? Trial and error (and script/console) is a good friend :slight_smile: Sadly I don't have irb right now.<br><br>Vish<br><br><div><span class="gmail_quote">On 12/4/06, <b class="gmail_sendername">
Taylor Strait</b> &lt;<a href="mailto:rails-mailing-list@andreas-s.net">rails-mailing-list@andreas-s.net</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>&gt;Vishnu Gopal wrote:<br>&gt; Hmm weird. Try a space after the ?, as in &quot;? &quot;.<br><br>That returns the same error:<br><br>&gt;&nbsp;&nbsp;SELECT * FROM books&nbsp;&nbsp;ORDER BY ? isbn LIMIT 0, 10<br><br>I can't believe this paginate issue hasn't been covered somewhere!&nbsp;&nbsp;My
<br>searches only revealed that one thread posted above.<br><br>--<br>Posted via <a href="http://www.ruby-forum.com/">http://www.ruby-forum.com/</a>.<br><br><br><br></blockquote></div><br>

------=_Part_45211_14470071.1165240866527--

My preferred method for doing this is to pass a hash key in the sort
parameter like...

/object/action?sort=name_up

Then I do a lookup in the action...

sort = { 'name_up' => 'name ASC', 'name_down' =>'name DESC' }

Object.find(:all, :order=>sort[params[:sort]])

This way you don't have to worry about SQL injections and you can make
complicated sort orders.

_Kevin