Closed malteseunderdog closed 12 years ago
The controllers should never use the form
Client.first(:conditions => "name LIKE '%#{params[:name]}%'")
as this is dangerous, and opens up to sqlinjection attack. Rather this form should be prefered:
Client.first(:conditions => ["orders_count = ?", params[:orders]])
Please read here for details
For an example, look at match.rb in models
match.rb
fixed
Same thing in player model ...
removed from player too
The controllers should never use the form
as this is dangerous, and opens up to sqlinjection attack. Rather this form should be prefered:
Please read here for details