[rspec-users] Proper Encapsulation of SQL WHERE / ORDER BY Clauses

Mark Wilden mark at mwilden.com
Mon Aug 18 17:18:29 EDT 2008


On Mon, Aug 18, 2008 at 1:26 PM, Matt Wynne <matt at mattwynne.net> wrote:

>      def get_where_clause
>
>        clause = []
>
>        clause << "city_id = #{@city_id}" if @city_id
>        clause << "name like '%#{@name}%'" if @name
>

I think you've still got SQL injection problems here.

///ark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20080818/0e73f1f2/attachment.html>


More information about the rspec-users mailing list