tag:www.refactormycode.com,2007:users1887 Mon Jan 18 21:24:53 -0800 2010 tag:www.refactormycode.com,2007:Refactor417803 2010-01-18T21:24:53-08:00 <p>I thought that the [&quot;?&quot;, var] pattern protected from sql injection like it says in the docs, no?</p> <pre>## From railsguides [ruby] # But in SQL fragments, especially in conditions fragments (:conditions =&gt; &quot;...&quot;), the connection.execute() # or Model.find_by_sql() methods, it has to be applied manually. Instead of passing a string to the conditions # option, you can pass an array to sanitize tainted strings like this: Model.find(:first, :conditions =&gt; [&quot;login = ? AND password = ?&quot;, entered_user_name, entered_password]) # As you can see, the first part of the array is an SQL fragment with question marks. The sanitized versions # of the variables in the second part of the array replace the question marks. Or you can pass a hash for the same result:</pre> David tag:www.refactormycode.com,2007:Refactor417666 2010-01-18T16:10:42-08:00 <p>Thanks. Updated now.</p> <pre></pre> David tag:www.refactormycode.com,2007:Code1149 2010-01-17T20:52:15-08:00 2010-01-21T03:33:18-08:00 <p>How can I turn this into something more activerecordish? I might want to add another condition into that query, like limiting the search to clips after a specific date.</p> <pre>Clip.find_by_sql([&quot;select * from clips where not exists (select 'clip_id' from histories where histories.clip_id = clips.id and histories.user_id = ?) ORDER BY clips.created_at DESC LIMIT 20&quot;, user.id])</pre> David