SitePoint Sponsor |
|
User Tag List
Results 1 to 3 of 3
-
Jun 16, 2006, 17:54 #1
- Join Date
- Jan 2006
- Posts
- 268
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Make sure is an int, and GET access
Hey there,
Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me
In one of my controllers I'm doing something like:
def view_listing
id = params[:listing]
@listing = Listing.find(id)
end
basically, trying to show the details on a specific listing. If it is called like
website.com/controller/view_listing/219, i get params[:id] equal to 219, right?
Also, how do I verify that it is actually an int (sql safe.)
Thanks!
-
Jun 16, 2006, 22:47 #2
Originally Posted by pjleonhardt
Code:def view_listing @listing = Listing.find(params[:listing]) rescue ActiveRecord::RecordNotFound render :action => 'page_not_found' end
Code:def view_listing @listing = Listing.find(params[:listing]) if request.get? end
Code:verify :method => :get, :only => :view_listing, :redirect_to => :index def view_listing @listing = Listing.find(params[:listing]) end
Ohai!
-
Jun 17, 2006, 02:58 #3
- Join Date
- Aug 2005
- Posts
- 986
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:
Conditions can either be specified as a string or an array representing the WHERE-part of an SQL statement. The array form is to be used when the condition input is tainted and requires sanitization. The string form can be used for statements that don’t involve tainted data. Examples:
Code:User < ActiveRecord::Base def self.authenticate_unsafely(user_name, password) find(:first, :conditions => "user_name = '#{user_name}' AND password = '#{password}'") end def self.authenticate_safely(user_name, password) find(:first, :conditions => [ "user_name = ? AND password = ?", user_name, password ]) end end
Bookmarks