diff options
| author | Luke Shumaker <shumakl@purdue.edu> | 2014-04-28 12:41:06 -0400 |
|---|---|---|
| committer | Luke Shumaker <shumakl@purdue.edu> | 2014-04-28 12:41:06 -0400 |
| commit | 4252af58c04e119ccce42d57352a836f273d6979 (patch) | |
| tree | 66c83ad9dcfb22e5a64c0a3e509cf102a59a59c9 | |
| parent | 657d7071828e6639cc2261b80e87418efea64df6 (diff) | |
That query was literally taken from the "don't do this, you'll get SQL injections" example in the Rails tutorial...
| -rw-r--r-- | app/controllers/search_controller.rb | 35 |
1 files changed, 23 insertions, 12 deletions
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index d312623..af35ddb 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -1,7 +1,6 @@ class SearchController < ApplicationController def go - stringMade = false; @games = Game.all @query = params[:query] @gametype = params[:game_type] @@ -10,21 +9,33 @@ class SearchController < ApplicationController return end - qstring = "" - if (!@query.empty?) - qstring += "name LIKE '%#{@query}%'" - stringMade = true + tour_filters = [] + user_filters = [] + unless @query.empty? + tour_filters.push(["name LIKE ?", "%#{@query}%"]) + user_filters.push(["name LIKE ?", "%#{@query}%"]) end - if (!@gametype.nil? and !@gametype.empty?) - if (stringMade) - qstring += " AND " - end - qstring += "game_id=#{@gametype}" + unless @gametype.nil? or @gametype.empty? + tour_filters.push(["game_id = ?", @gametype]) end - @tournaments = Tournament.where(qstring) - @players = User.where("name LIKE '%#{@query}%'") + if tour_filters.empty? + @tournamets = [] + else + @tournaments = Tournament + tour_filters.each do |filter| + @tournaments = @tournaments.where(*filter) + end + end + if user_filters.empty? + @players = [] + else + @players = User + user_filters.each do |filter| + @players = @players.where(*filter) + end + end end end |