Quoting Sijo Kg <rails-mailing-l...@andreas-s.net>: > > Jeffrey L. Taylor wrote: > > Quoting CoolAJ86 <coola...@gmail.com>: > >> [:jobs, :photos]) > > :conditions => > > "jobs.name LIKE 'Teacher%' AND group_id = #{current_contact.group}" > > > > HTH, > > Jeffrey > > Passing a string to :conditions like this welcomes sql injection attacks > So can it be avoided and pass an array instaed like in last post by > fred?Am I right? >
Only if current_contact.group is string. I assumed that it is an integer, in which case, no SQL injection attack is possible for this call. Jeffrey --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---