Sort by sql question

blewis · September 23, 2006, 10:27pm

if I do a pagination:
@document_pages, @documents = paginate :documents, :per_page => 20,
:include => [:company], :conditions => “doc_type_id = ‘#{@doc_type}’”,
:order => “#{order_by}”

How could I sort by doc_type.title?

Thanks,
Ben L.

blewis · September 23, 2006, 11:30pm

Ben L. wrote:

if I do a pagination:
@document_pages, @documents = paginate :documents, :per_page => 20,
:include => [:company], :conditions => “doc_type_id = ‘#{@doc_type}’”,
:order => “#{order_by}”

How could I sort by doc_type.title?

As you would with find :all, i.e. use an appropriate :joins clause
Also by doing what you have done above you could be opening the door to
sql injection attacks.

Fred

blewis · September 24, 2006, 10:11am

Dear Ben:

In case you need the clarification on the sql injection attacks Fred
alluded to, you might want to read
http://manuals.rubyonrails.com/read/chapter/43

I haven’t tried running this but I believe the suggestion is instead of
writing:

@document_pages, @documents = paginate :documents, :per_page => 20,
:include => [:company], :conditions => “doc_type_id = ‘#{@doc_type}’”,
:order => “#{order_by}”

I think the suggestion is for you to write something like:

@document_pages, @documents = paginate :documents,
:per_page => 20,
:include => [:company],
:conditions => [“doc_type_id = :doc_type_id”, {:doc_type_id
=>@doc_type}],
:order => [“:order_by_criteria”, {:order_by_criteria => order_by}]

(I played around with this syntax with the find method, and will assume
that the pagination works similarly…)

Hope this helps!

Dominique

Frederick C. wrote:

Ben L. wrote:

if I do a pagination:
@document_pages, @documents = paginate :documents, :per_page => 20,
:include => [:company], :conditions => “doc_type_id = ‘#{@doc_type}’”,
:order => “#{order_by}”

How could I sort by doc_type.title?

As you would with find :all, i.e. use an appropriate :joins clause
Also by doing what you have done above you could be opening the door to
sql injection attacks.

Fred

blewis · September 24, 2006, 10:16pm

Hey thanks for the tips on sql injection! Didn’t realize that was
happening!

With the join, would I still use the :include? What would the syntax
look like?

Thanks again,
Ben