Re: [rspec-users] Proper Encapsulation of SQL WHERE / ORDER BY Clauses

Matt Wynne Mon, 18 Aug 2008 23:58:04 -0700

Thanks for the reminder. This stuff is in a protected admin area so Idon't really care, but I should play on the safe side anyhow.


cheers,
Matt
----
http://blog.mattwynne.net
http://songkick.com

In case you wondered: The opinions expressed in this email are my ownand do not necessarily reflect the views of any former, current orfuture employers of mine.


On 18 Aug 2008, at 22:18, Mark Wilden wrote:

On Mon, Aug 18, 2008 at 1:26 PM, Matt Wynne <[EMAIL PROTECTED]>wrote:

     def get_where_clause

       clause = []

       clause << "city_id = [EMAIL PROTECTED]" if @city_id
       clause << "name like '[EMAIL PROTECTED]'" if @name

I think you've still got SQL injection problems here.

///ark
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users

_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users

Re: [rspec-users] Proper Encapsulation of SQL WHERE / ORDER BY Clauses

Reply via email to