1 2 3
Clip.find_by_sql(["select * from clips where not exists (select 'clip_id' from histories where histories.clip_id = clips.id and histories.user_id = ?) ORDER BY clips.created_at DESC LIMIT 20", user.id])
Refactorings
No refactoring yet !
Tj Holowaychuk
January 18, 2010, January 18, 2010 15:03, permalink
No rating.
Login to rate!
well there is a huge security flaw in what you have now...
David
January 18, 2010, January 18, 2010 16:10, permalink
No rating.
Login to rate!
Thanks. Updated now.
Tj Holowaychuk
January 18, 2010, January 18, 2010 19:16, permalink
No rating.
Login to rate!
still there lol.. google sql injection
David
January 18, 2010, January 18, 2010 21:24, permalink
No rating.
Login to rate!
I thought that the ["?", var] pattern protected from sql injection like it says in the docs, no?
From railsguides
1 2 3 4 5 6 7 8
# But in SQL fragments, especially in conditions fragments (:conditions => "..."), the connection.execute() # or Model.find_by_sql() methods, it has to be applied manually. Instead of passing a string to the conditions # option, you can pass an array to sanitize tainted strings like this: Model.find(:first, :conditions => ["login = ? AND password = ?", entered_user_name, entered_password]) # As you can see, the first part of the array is an SQL fragment with question marks. The sanitized versions # of the variables in the second part of the array replace the question marks. Or you can pass a hash for the same result:
How can I turn this into something more activerecordish? I might want to add another condition into that query, like limiting the search to clips after a specific date.