OK so i have this condition
conditions = {}
conditions[:state] = params[:state] if params[:state]
#apps = current.apps.paginate(:include => :user, :conditions => conditions, :order => "users.first_name, users.last_name")
and my routes file has
map.apps_wishlist '/apps/wishlist', :controller => 'apps', :action => 'index', :state => 'wishlist'
Since i am sending in the string should i escape the sql somehow for security reasons and if so how is the best way to do that
Someone suggested they think the params[:state] should be escaped when put into the SQL query for security reasons
They don't know what they're talking about. As long as you do either
SomeModel.where(:conditions => {:state => params[:state]})
#or
SomeModel.find(:conditions => {:state => params[:state]})
#or
SomeModel.where("state = ?", params[:state])
ActiveRecord will handle all the escaping itself, so the code you've given above is fine/ The only case it doesn't cover is if you were building up the sql entirely on your own, i.e. don't do
SomeModel.where("state = #{params[:state]}")
If you're using find_by_sql, execute and so on then you are also responsible for escaping. Don't just take my word for it though - try it! You might also want to look at the rails security guide
Related
I'm creating a customisable nav menu for our site and have run into the following problem.
I need to generate a URL to any controller and action on the site and optionally pass it parameters. I was able to do the former by simply saying:
url_for(:controller => nav[:controller_name], :action => nav[:action_name])
which is great for sending you to {controller}/{action}. eg. news/articles
Throwing options in suddenly changes the game. Now I need to send you to something like:
{controller}/{action}/{category}/{slug}/{id}
eg. news/articles/world-domination/montana-max-vows-revenge/12345
the helper for the above would be something along the lines of:
news_article_path('world-domination', 'montana-max-vows-revenge', '12345')
and I haven't been able to replicate that in a vanilla url_for due to the arguments.
What I have done, and I don't really like is:
url_for(send("#{nav[:controller_name]}_#{nav[:action_name]}_path", *nav[:options]))
which generates the helper using send and then passes it a kwargs list. I'm sure there's a better way to do that surely?
You can do this cleanly if you are able to name the options (split here over lines for legibility):
url_for({
:controller => nav[:controller_name],
:action => nav[:action_name]
}.merge(nav[:options] || {}))
where
nav = {
:controller_name => 'news',
:action_name => 'articles',
:options => {
:category => 'world-domination',
:slug => 'montana-max-vows-revenge',
:id => '12345'
}
}
I want to accept URLs for my objects that contain an element that is not used, but which would be nice for SEO reasons. For example, I want to accept an url like:
http://localhost:3000/people/USA/123-joe-schmoe
.. where the "/USA" bit has no significance at all, other than signaling to users and search engines that this person resides in the USA.
I've tried setting up my rule using globbing, as well as for example doing something like
match "people/:whatever/:id" => "people#show", :constraints => {:id => /\d+-.*/}, :as => "person"
But this results in an attempt to route to :controller => people, :action => "show", :whatever => #<Person id: 123 ...> which fails.
Is it possible to have the routing ignore the :whatever part and pass in my :id in stead?
You can try a widcard match instead
match "people/*/:id => "doctors#show", :constraints=> {:id=>/\d+=.*/}, :as=>"person"
I'm working with an internal API application. When I use my front-end app to request information, i can pass an additional parameter with the request like this:
Model.find(id, :params => {:locale => I8n.locale})
or
Model.get(:custom_api_call, :locale => I18n.locale)
Is there a place to do that with Model.save or Model.update_attributes? For instance, this doesn't work:
Model.save(:params => {:locale => I18n.locale})
Model.save(:locale => I18n.locale)
Model.update_attributes(:locale => I18n.locale)
Model.update_attributes(:params => {:locale => I18n.locale})
As you can imagine, those simply add :locale to the attributes sent to my API.
Better yet! If someone knows how to pass :locale => I18n.locale as a parameter with every communication, that would let me dry up a lot of my code.
Thank you for your time
I would like to do just a little bit of extra logic in rotues.rb, that probably doesn't belong there, but it seems to make the most sense to me.
I have two conflicting routes. To be primitive:
match '/videos/:browseby' => 'videos#browse', :as => "browse_by"
Where :browseby is looking for a string, such as "Tags", to browse videos by tags.
However, (and most probably saw this coming) I also have my basic show resource (again in primitive form):
match '/videos/:id' => 'videos#show', :as => "video"
Where :id is looking for the integer for the video ID.
Is there a way to add a small bit of logic such as...
match '/videos/:id' => 'videos#show', :as => "video", :format(:id) => :integer
(Which is my hypothetical rails syntax, to help show what I'm looking for.)
I know I can munch this in the Controller level, but it makes more sense to me to handle it at the route level.
You could try using :constraints and a regex:
match '/videos/:id' => 'videos#show', :as => "video", :constraints => { :id => /\d/ }
match '/videos/:browseby' => 'videos#browse', :as => "browse_by"
You'll also want to make sure the looser :browseby version comes after the :id version. Note that regex constraints are implicitly anchored at the beginning so that would work as long as your :browseby values didn't start with a number.
If you have tags that do start with numbers then you could use an object for the constraint and then you could include anchors in your regex:
class VideoIdsOnly
def matches?(request)
request.path =~ %r{\A/videos/\d+\z}
end
end
match '/videos/:id' => 'video#show', :as => "video", :constraints => VideoIdsOnly.new
match '/videos/:browseby' => 'videos#browse', :as => "browse_by"
I have a rails route that is based on two conditions, that the domain and subdomain are a specific value. The problem is that there are multiple possible values for subdomain to work, but I can't seem to be able to pass them as an array or hash.
map.with_options(:conditions => {:domain => AppConfig['base_domain'], :subdomain => 'www'..'www3'}) do |signup|
signup.plans '/signup', :controller => 'accounts', :action => 'plans'
...[truncated]...
end
The above example works as accepting www, www1, www2 & www3 as a value for the subdomain. However, that doesn't really solve my needs. I need to be able to accept a value of '' (nothing), 'www' and 'www2' so I tried something to the extend of:
map.with_options(:conditions => {:domain => AppConfig['base_domain'], :subdomain => ['','www','www2']}) do |signup|
That's similar to how you would set it up in ActiveRecord but it doesn't seem to be the same for routes.
Does anybody know now I can specify three values that aren't sequential?
If you can render it as a regular expression, you can use it as a condition. Converting an array to a regular expression is quite easy:
:subdomain => Regexp.new(%w[ www www3 ].collect { |p| Regexp.escape(p) }.join('|'))
Since you're just dealing with a simple pattern anyway, why not express it as this?
:subdomain => /www\d*/
It is important to note that the regular expressions used by routes are not supposed to be anchored using ^ or $ like you usually would. They must match completely to be valid, and partial matches are ignored.