Quoting Sijo Kg <rails-mailing-l...@andreas-s.net>:
>
> Jeffrey L. Taylor wrote:
> > Quoting CoolAJ86 <coola...@gmail.com>:
> >> [:jobs, :photos])
> > :conditions =>
> > "jobs.name LIKE 'Teacher%' AND group_id = #{current_contact.group}"
> >
> > HTH,
> > Jeffrey
>
> Passing a string to :conditions like this welcomes sql injection attacks
> So can it be avoided and pass an array instaed like in last post by
> fred?Am I right?
>
Only if current_contact.group is string. I assumed that it is an integer, in
which case, no SQL injection attack is possible for this call.
Jeffrey
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
