On Dec 3, 2004, at 10:17, Dave Thomas wrote:
> In Rails, the documentation for criteria makes it look as if the same
> is true. It isn't. If I say
>
> table.find_all([ "id=%d", @params{"p_id"]))
> then a malicious incoming string will indeed inject SQL into my system.
Typo - I should have said "id=%s"
Dave