With code like this: def advanced_search $elementspro = params[:elementprovince] $elementstype = params[:elementstype] $elementsequipment = params[:elementsequipment] $elementdown = params[:elementdown] $elementstatus = params[:elementstatus] $elementapproval = params[:elementapproval] $elementteam = params[:elementteam] $elementstaffname = params[:elementstaffname] $frm_view_setup = params[:frm_view_setup] @tblpss_description_records = TblpssDescriptionRecord.paginate :page => params[:page], :conditions=>"province='" + $elementspro + "'" + "or type_of_job='" + $elementstype + "'" + "or equipment_part='" + $elementsequipment + "'" + "or sitedown='" + $elementdown + "'" + "or job_status='" + $elementstatus + "'" + "or job_status='" + $elementapproval + "'" + "or team_on_job='" + $elementteam + "'" + "or RecorderName='" + $elementstaffname + "'", :order => 'jobNo ASC', :per_page => $per_page end
you might as well post your database password in public. This is dangerous code. It allows SQL injection. It's pretty clear you come from a PHP world. I suggest you read a few books on Ruby programming, and google a bit for "rails sql injection." Your code is a security nightmare. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
