Yup. SQL injection. params[:sort_by] could contain an SQL fragment.
Vish
@books = paginate :books, :order => [‘?’, sort_by], :per_page => 10 ?
Vish
Hmm weird. Try a space after the ?, as in "? ".
Vish
What about “? DESC” or “? ASC” ? Trial and error (and script/console) is a good friend 
Sadly I don’t have irb right now.
Vish
Vishnu Gopal wrote:
What about "? DESC" or "? ASC" ? Trial and error (and script/console) is a good friend
Vish
> > > >Vishnu Gopal wrote: > > Hmm weird. Try a space after the ?, as in "? ". > > That returns the same error: > > > SELECT * FROM books ORDER BY ? isbn LIMIT 0, 10 > > I can't believe this paginate issue hasn't been covered somewhere! My > searches only revealed that one thread posted above. > > -- > Posted via http://www.ruby-forum.com/. > > > >
------=_Part_45211_14470071.1165240866527 Content-Type: text/html; charset=ISO-8859-1 X-Google-AttachSize: 982
What about "? DESC" or "? ASC" ? Trial and error (and script/console) is a good friend
------=_Part_45211_14470071.1165240866527--
My preferred method for doing this is to pass a hash key in the sort parameter like...
/object/action?sort=name_up
Then I do a lookup in the action...
sort = { 'name_up' => 'name ASC', 'name_down' =>'name DESC' }
Object.find(:all, :order=>sort[params[:sort]])
This way you don't have to worry about SQL injections and you can make complicated sort orders.
_Kevin