From 4252af58c04e119ccce42d57352a836f273d6979 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Mon, 28 Apr 2014 12:41:06 -0400 Subject: That query was literally taken from the "don't do this, you'll get SQL injections" example in the Rails tutorial... --- app/controllers/search_controller.rb | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) (limited to 'app') diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index d312623..af35ddb 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -1,7 +1,6 @@ class SearchController < ApplicationController def go - stringMade = false; @games = Game.all @query = params[:query] @gametype = params[:game_type] @@ -10,21 +9,33 @@ class SearchController < ApplicationController return end - qstring = "" - if (!@query.empty?) - qstring += "name LIKE '%#{@query}%'" - stringMade = true + tour_filters = [] + user_filters = [] + unless @query.empty? + tour_filters.push(["name LIKE ?", "%#{@query}%"]) + user_filters.push(["name LIKE ?", "%#{@query}%"]) end - if (!@gametype.nil? and !@gametype.empty?) - if (stringMade) - qstring += " AND " - end - qstring += "game_id=#{@gametype}" + unless @gametype.nil? or @gametype.empty? + tour_filters.push(["game_id = ?", @gametype]) end - @tournaments = Tournament.where(qstring) - @players = User.where("name LIKE '%#{@query}%'") + if tour_filters.empty? + @tournamets = [] + else + @tournaments = Tournament + tour_filters.each do |filter| + @tournaments = @tournaments.where(*filter) + end + end + if user_filters.empty? + @players = [] + else + @players = User + user_filters.each do |filter| + @players = @players.where(*filter) + end + end end end -- cgit v1.2.3-2-g168b