0
我目前在Rails網頁中有一個觀察字段,它使用AJAX搜索特定用戶名。但是,我無法正確地獲得轉義序列。 這裏是Rails代碼:Rails觀察字段轉義排序
%= observe_field "new_member_search",
:url => {:controller => :user, :action => :search},
:frequency => 0.5,
:update => 'ProjectMemberNew',
:with => :username
%>
,這裏是控制器
def search #search for user, use in 'Project Add Member'
name = params['username']
limit = params['limit'] || 21
users = unless name.blank?
User.find_by_sql(
["select id,icon,login,realname,email from users where
#{User.verified_users} and login like ? limit ?","%#{name}%" ,limit])
else
[]
end
render(:partial => 'search_hit_member',
:locals => {:users => users},
:layout => false)
末
這將產生以下的Javascript
<script type="text/javascript">
//<![CDATA[
jQuery('#new_member_search').delayedObserver(0.5, function(element, value) {jQuery.ajax({data:'username=' + value, success:function(request){jQuery('#ProjectMemberNew').html(request);}, type:'post', url:'/of/user/search'})})
//]]>
</script>
很奇怪,它不應該工作。我只是從Prototype切換到JQUERY。
謝謝,
'User.find_by_sql'代碼是危險的,並且傾向於SQL注入:http://wiki.rubyonrails.org/howtos/security/sql_injection – Zabba 2011-01-05 07:53:45
感謝您的建議。我已通知技術團隊,我們將開始研究它... – TheRealVayne 2011-01-06 09:10:42