purged all use of find_by_sql (we don't need no steenkin sql)

Lennon Day-Reynolds · Lennon Day-Reynolds · commit 16c78ca86d1b · 2008-08-09T14:05:22.000-07:00
diff --git a/app/controllers/index_controller.rb b/app/controllers/index_controller.rb
@@ -2,6 +2,6 @@ class IndexController < ApplicationController
   def index
     @upcoming_events = Event.find_upcoming(UPCOMING_EVENT_LIMIT)
     @recent_events   = Event.find_recent(RECENT_EVENT_LIMIT)
-    @member_articles = Article.find_by_sql "SELECT * FROM articles ORDER BY modified_at DESC LIMIT " + RECENT_ARTICLE_LIMIT.to_s;
+    @member_articles = Article.find(:all, :limit => RECENT_ARTICLE_LIMIT, :order => 'modified_at DESC')
   end
 end
diff --git a/app/models/participant.rb b/app/models/participant.rb
@@ -21,9 +21,10 @@ def is_attending?
   end
 
   def self.find_upcoming(member_id)
-    # XXX elw: find_all [statement, member_id] or else quote member_id ?
-    # http://manuals.rubyonrails.com/read/chapter/43
-    return self.find_by_sql("SELECT * FROM events e, participants p " +
-      "WHERE p.event_id=e.id AND p.member_id=#{member_id} AND e.starts_at>current_date")
+    # this is marginally slower than the original find_by_sql call, but doesn't expose
+    # a huge SQL injection hole, either
+    self.find(:all, :conditions => ['member_id = ?', member_id]).select do |p|
+      p.event.starts_at > Time.today
+    end
   end
 end
diff --git a/db/test.sqlite3 b/db/test.sqlite3
