SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    SitePoint Addict
    Join Date
    Jan 2006
    Posts
    268
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Make sure is an int, and GET access

    Hey there,
    Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me

    In one of my controllers I'm doing something like:

    def view_listing
    id = params[:listing]
    @listing = Listing.find(id)
    end

    basically, trying to show the details on a specific listing. If it is called like
    website.com/controller/view_listing/219, i get params[:id] equal to 219, right?

    Also, how do I verify that it is actually an int (sql safe.)

    Thanks!

  2. #2
    SitePoint Guru Majglow's Avatar
    Join Date
    Aug 1999
    Location
    B-Town
    Posts
    645
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by pjleonhardt
    Hey there,
    Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me

    In one of my controllers I'm doing something like:

    def view_listing
    id = params[:listing]
    @listing = Listing.find(id)
    end

    basically, trying to show the details on a specific listing. If it is called like
    website.com/controller/view_listing/219, i get params[:id] equal to 219, right?

    Also, how do I verify that it is actually an int (sql safe.)

    Thanks!
    SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:

    Code:
    def view_listing
      @listing = Listing.find(params[:listing])
    rescue ActiveRecord::RecordNotFound
      render :action => 'page_not_found'
    end
    If you want to make sure that the user is accessing the method by get, you can do in your method (well, you should do this really because there is nothing that happens if it isn't get):

    Code:
    def view_listing
      @listing = Listing.find(params[:listing]) if request.get?
    end
    Or, use the verify class method

    Code:
    verify :method => :get, :only => :view_listing, :redirect_to => :index
    
    def view_listing
      @listing = Listing.find(params[:listing])
    end
    Ohai!

  3. #3
    SitePoint Guru
    Join Date
    Aug 2005
    Posts
    986
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:
    Rails prevents sql injection if you use conditions with ?'s:

    Conditions can either be specified as a string or an array representing the WHERE-part of an SQL statement. The array form is to be used when the condition input is tainted and requires sanitization. The string form can be used for statements that donít involve tainted data. Examples:

    Code:
      User < ActiveRecord::Base
        def self.authenticate_unsafely(user_name, password)
          find(:first, :conditions => "user_name = '#{user_name}' AND password = '#{password}'")
        end
    
        def self.authenticate_safely(user_name, password)
          find(:first, :conditions => [ "user_name = ? AND password = ?", user_name, password ])
        end
      end
    The authenticate_unsafely method inserts the parameters directly into the query and is thus susceptible to SQL-injection attacks if the user_name and password parameters come directly from a HTTP request. The authenticate_safely method, on the other hand, will sanitize the user_name and password before inserting them in the query, which will ensure that an attacker canít escape the query and fake the login (or worse).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •