From 4252af58c04e119ccce42d57352a836f273d6979 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <shumakl@purdue.edu>
Date: Mon, 28 Apr 2014 12:41:06 -0400
Subject: That query was literally taken from the "don't do this, you'll get
 SQL injections" example in the Rails tutorial...

---
 app/controllers/search_controller.rb | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index d312623..af35ddb 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -1,7 +1,6 @@
 class SearchController < ApplicationController
 
 	def go
-		stringMade = false;
 		@games = Game.all
 		@query = params[:query]
 		@gametype = params[:game_type]
@@ -10,21 +9,33 @@ class SearchController < ApplicationController
 			return 
 		end
 
-		qstring = ""
-		if (!@query.empty?)
-			qstring += "name LIKE '%#{@query}%'"
-			stringMade = true
+		tour_filters = []
+		user_filters = []
+		unless @query.empty?
+			tour_filters.push(["name LIKE ?", "%#{@query}%"])
+			user_filters.push(["name LIKE ?", "%#{@query}%"])
 		end
-		if (!@gametype.nil? and !@gametype.empty?)
-			if (stringMade)
-				qstring += " AND "
-			end
-			qstring += "game_id=#{@gametype}"
+		unless @gametype.nil? or @gametype.empty?
+			tour_filters.push(["game_id = ?", @gametype])
 		end
 
-		@tournaments = Tournament.where(qstring)
-		@players = User.where("name LIKE '%#{@query}%'")
+		if tour_filters.empty?
+			@tournamets = []
+		else
+			@tournaments = Tournament
+			tour_filters.each do |filter|
+				@tournaments = @tournaments.where(*filter)
+			end
+		end
 
+		if user_filters.empty?
+			@players = []
+		else
+			@players = User
+			user_filters.each do |filter|
+				@players = @players.where(*filter)
+			end
+		end
 	end
 
 end
-- 
cgit v1.2.3