Sorry for the hair-splitting, I know that it's just an example, but just in case someone copies it, would you consider changing
items = Tweet.find(:all, :conditions => "text LIKE '%#{param(:term)}%'").
to something like
items = Tweet.find(:all, :conditions => ["text LIKE '%' || ? || '%'", param(:term)]).
or maybe
items = Tweet.where("text LIKE ?", "%#{param(:term)}%").
on http://apotomo.de/peters-guide-1.1/autocomplete.html in line 9 of app/cells/quick_search.rb
because its a security hole.
Cheers,
Bernát
p.s. Apotomo is awsome. It solved nearly all problems I currently had with rails. Many thanks :)
Hi,
Sorry for the hair-splitting, I know that it's just an example, but just in case someone copies it, would you consider changing items = Tweet.find(:all, :conditions => "text LIKE '%#{param(:term)}%'"). to something like items = Tweet.find(:all, :conditions => ["text LIKE '%' || ? || '%'", param(:term)]). or maybe items = Tweet.where("text LIKE ?", "%#{param(:term)}%"). on http://apotomo.de/peters-guide-1.1/autocomplete.html in line 9 of app/cells/quick_search.rb because its a security hole.
Cheers, Bernát
p.s. Apotomo is awsome. It solved nearly all problems I currently had with rails. Many thanks :)