r988@mjolnir: ewilhelm | 2006-02-19 17:03:32 -0800

ewilhelm · ewilhelm · commit 76d45d5d990f · 2006-05-04T06:31:24.000Z
app/models/participant.rb - note possible sql injection git-svn-id: http://svn.pdxruby.org/repos/www/trunk@204 f0fbaf97-c700-0410-a5eb-8ea856f8537e
diff --git a/app/models/participant.rb b/app/models/participant.rb
@@ -21,6 +21,8 @@ def is_attending?
   end
 
   def self.find_upcoming(member_id)
+    # XXX elw: find_all [statement, member_id] or else quote member_id ?
+    # http://manuals.rubyonrails.com/read/chapter/43
     return self.find_by_sql("SELECT * FROM events e, participants p " +
       "WHERE p.event_id=e.id AND p.member_id=#{member_id} AND e.starts_at>current_date")
   end
