Make sure is an int, and GET access

[pjleonhardt]

Hey there,
Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me

In one of my controllers I'm doing something like:

def view_listing
id = params[:listing]
@listing = Listing.find(id)
end

basically, trying to show the details on a specific listing. If it is called like
website.com/controller/view_listing/219, i get params[:id] equal to 219, right?

Also, how do I verify that it is actually an int (sql safe.)

Thanks!

[Majglow]

Hey there,
Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me

In one of my controllers I'm doing something like:

def view_listing
id = params[:listing]
@listing = Listing.find(id)
end

basically, trying to show the details on a specific listing. If it is called like
website.com/controller/view_listing/219, i get params[:id] equal to 219, right?

Also, how do I verify that it is actually an int (sql safe.)

Thanks!

SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:

Code:

def view_listing
  @listing = Listing.find(params[:listing])
rescue ActiveRecord::RecordNotFound
  render :action => 'page_not_found'
end

If you want to make sure that the user is accessing the method by get, you can do in your method (well, you should do this really because there is nothing that happens if it isn't get):

Code:

def view_listing
  @listing = Listing.find(params[:listing]) if request.get?
end

Or, use the verify class method

Code:

verify :method => :get, :only => :view_listing, :redirect_to => :index

def view_listing
  @listing = Listing.find(params[:listing])
end

[Fenrir2]

SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:

Rails prevents sql injection if you use conditions with ?'s:

Conditions can either be specified as a string or an array representing the WHERE-part of an SQL statement. The array form is to be used when the condition input is tainted and requires sanitization. The string form can be used for statements that don’t involve tainted data. Examples:

Code:

  User < ActiveRecord::Base
    def self.authenticate_unsafely(user_name, password)
      find(:first, :conditions => "user_name = '#{user_name}' AND password = '#{password}'")
    end

    def self.authenticate_safely(user_name, password)
      find(:first, :conditions => [ "user_name = ? AND password = ?", user_name, password ])
    end
  end

The authenticate_unsafely method inserts the parameters directly into the query and is thus susceptible to SQL-injection attacks if the user_name and password parameters come directly from a HTTP request. The authenticate_safely method, on the other hand, will sanitize the user_name and password before inserting them in the query, which will ensure that an attacker can’t escape the query and fake the login (or worse).