| SitePoint Sponsor |
Hey there,
Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me
In one of my controllers I'm doing something like:
def view_listing
id = params[:listing]
@listing = Listing.find(id)
end
basically, trying to show the details on a specific listing. If it is called like
website.com/controller/view_listing/219, i get params[:id] equal to 219, right?
Also, how do I verify that it is actually an int (sql safe.)
Thanks!
SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:Originally Posted by pjleonhardt
Hey there,
Easy questions for you guys (and gals). I've only been studying ruby/rails for about 2 days, so bare with me
In one of my controllers I'm doing something like:
def view_listing
id = params[:listing]
@listing = Listing.find(id)
end
basically, trying to show the details on a specific listing. If it is called like
website.com/controller/view_listing/219, i get params[:id] equal to 219, right?
Also, how do I verify that it is actually an int (sql safe.)
Thanks!
If you want to make sure that the user is accessing the method by get, you can do in your method (well, you should do this really because there is nothing that happens if it isn't get):Code:def view_listing @listing = Listing.find(params[:listing]) rescue ActiveRecord::RecordNotFound render :action => 'page_not_found' end
Or, use the verify class methodCode:def view_listing @listing = Listing.find(params[:listing]) if request.get? end
Code:verify :method => :get, :only => :view_listing, :redirect_to => :index def view_listing @listing = Listing.find(params[:listing]) end
Ohai!
Rails prevents sql injection if you use conditions with ?'s:SQL safe is taken for you in most cases in rails. The only time you have to be careful is when using the conditions option, in which case you do :conditions => ["my_column = ?", params[:my_value]] and, of course, running any SQL queries yourself. If you want to catch errors, I usually do this:
Conditions can either be specified as a string or an array representing the WHERE-part of an SQL statement. The array form is to be used when the condition input is tainted and requires sanitization. The string form can be used for statements that don’t involve tainted data. Examples:
The authenticate_unsafely method inserts the parameters directly into the query and is thus susceptible to SQL-injection attacks if the user_name and password parameters come directly from a HTTP request. The authenticate_safely method, on the other hand, will sanitize the user_name and password before inserting them in the query, which will ensure that an attacker can’t escape the query and fake the login (or worse).Code:User < ActiveRecord::Base def self.authenticate_unsafely(user_name, password) find(:first, :conditions => "user_name = '#{user_name}' AND password = '#{password}'") end def self.authenticate_safely(user_name, password) find(:first, :conditions => [ "user_name = ? AND password = ?", user_name, password ]) end end
Posting Permissions
Bookmarks