[rspec-users] Proper Encapsulation of SQL WHERE / ORDER BY Clauses

Matt Wynne matt at mattwynne.net
Tue Aug 19 02:57:50 EDT 2008

Thanks for the reminder. This stuff is in a protected admin area so I  
don't really care, but I should play on the safe side anyhow.


In case you wondered: The opinions expressed in this email are my own  
and do not necessarily reflect the views of any former, current or  
future employers of mine.

On 18 Aug 2008, at 22:18, Mark Wilden wrote:

> On Mon, Aug 18, 2008 at 1:26 PM, Matt Wynne <matt at mattwynne.net>  
> wrote:
>      def get_where_clause
>        clause = []
>        clause << "city_id = #{@city_id}" if @city_id
>        clause << "name like '%#{@name}%'" if @name
> I think you've still got SQL injection problems here.
> ///ark
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20080819/addb16d4/attachment.html>

More information about the rspec-users mailing list