From 0be5d674d9874416c4d2896698cc34f2083d3331 Mon Sep 17 00:00:00 2001
From: ken1flan <ken1flan@gmail.com>
Date: Fri, 4 May 2018 09:21:47 +0900
Subject: [PATCH 1/2] Add published scope

---
 app/controllers/blogs_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/blogs_controller.rb b/app/controllers/blogs_controller.rb
index d2eac35..fb4cf39 100644
--- a/app/controllers/blogs_controller.rb
+++ b/app/controllers/blogs_controller.rb
@@ -20,6 +20,6 @@ def index
   end
 
   def show
-    @blog = Blog.find(params[:id])
+    @blog = Blog.published.find(params[:id])
   end
 end

From 70c697263e9b61f4688ced4ab88af61c6046a17b Mon Sep 17 00:00:00 2001
From: ken1flan <ken1flan@gmail.com>
Date: Fri, 4 May 2018 09:58:25 +0900
Subject: [PATCH 2/2] Fix sql injection

---
 app/controllers/blogs_controller.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/blogs_controller.rb b/app/controllers/blogs_controller.rb
index fb4cf39..ac428b9 100644
--- a/app/controllers/blogs_controller.rb
+++ b/app/controllers/blogs_controller.rb
@@ -7,15 +7,15 @@ def index
     @search_end_at = params[:search_end_at]
 
     if @search_text.present?
-      @blogs = @blogs.where("title LIKE \"%#{@search_text}%\" OR body LIKE \"%#{@search_text}%\"")
+      @blogs = @blogs.where("title LIKE :search_text OR body LIKE :search_text", search_text: "%#{@search_text}%")
     end
 
     if @search_start_at.present?
-      @blogs = @blogs.where("created_at >= '#{@search_start_at}'")
+      @blogs = @blogs.where("created_at >= ?", @search_start_at)
     end
 
     if @search_end_at.present?
-      @blogs = @blogs.where("created_at <= '#{@search_end_at}'")
+      @blogs = @blogs.where("created_at <= ?", @search_end_at)
     end
   end