sprite wrote:
> Thanks for leading me on the right path.
Whom are you addressing? Please quote when replying in future.
> Fixed a few errors and it
> worked great:
>
> def top_tippers
> sql_query = "SELECT top_tippers.total_tips AS total_tips,
> top_tippers.client_id AS client_id,
> users.login_slug AS login_slug,
> users.login AS login
> FROM (
> SELECT SUM(tips.amount_cents) AS total_tips,
> tips.client_id AS client_id
> FROM tips
> WHERE tips.vendor_id = #{self.id}
> GROUP BY tips.client_id
> ORDER BY total_tips DESC) AS top_tippers, users
> WHERE top_tippers.client_id = users.id"
> @top_tippers = User.find_by_sql(sql_query)
> end
>
You probably don't need to write that much SQL. Again, see if the
Calculations module will help.
>
> What's the danger of interpolating the id directly? It is not passed
> in any way from the user. It is the primary_key integer ID of the
> user.
How sure can you be that you won't get passed a bogus ID?
> How do I use placeholders when constructing the query?
Read the find_by_sql documentation.
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
[email protected]
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
