Greetings Railers, I have a many-many defined as habtm from both sides of the equation. I''ve also set the join table with appropriate belongs_to defines. I followed this example to make it work, jrhicks.net/Projects/rails/has_many_and_belongs_to_many.pdf which does work, for maintaining the many-many relationship records. the relevant line is @A.Bs = B.find(@params[:A_ids]) if @params[:A_ids] but the problem is that in my many-many table I have a "created_on" field, as I''d like to track when this relationship is created. Unfortunately this field is not getting auto-magically filled. So, I''m wondering if this is due to the many-many type relationship not allowing (or supporting) this type of thing. Or is it the technique I''m using to maintain the relationship? Or perhaps there is something completely different I''m not aware of, entirely possible as I''ve been doing Rails work for all of 2 weeks now. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Hi,> Unfortunately this field is not getting auto-magically filled. > > So, I''m wondering if this is due to the many-many type relationship not > allowing (or supporting) this type of thing. Or is it the technique I''m > using to maintain the relationship?I had a similar problem a few weeks ago. With a simple has_and_belongs_to_many, you can''t do what you want in Rails.> Or perhaps there is something completely different I''m not aware of, > entirely possible as I''ve been doing Rails work for all of 2 weeks now.There is indeed something different, two things in fact. The first is called push_with_attributes, and I never got quite behind how it works. It''s also deprecated by now, so you really shouldn''t use it. The second is the quite elegant has_many :through association. Have a look at this article: http://blog.hasmanythrough.com/articles/2006/04/20/many-to-many-dance-off Which should give you good pointers, just as it did with me. HTH, Daniel -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
I know that doing something like this leaves you totally open to SQL injection attacks: contacts = Contact.find(:all, :conditions => "name = #{params[:name]") and should be written this way instead: contacts = Contact.find(:all, :conditions => ["name = ?", params[:name]]) but is this safe?: contact = Contact.find(params[:id]) or should that be written as?: contact = Contact.find(:first, :conditions => ["id = ?", params[:id]]) Thanks. Best Regards, Tamim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
How about Contact.find((params[:id]).to_i) ? Cant inject much with only numbers.... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
That''s an excellent idea as well! I guess I was just curious whether the find by id was safe to start with. I don''t want to add extra code if not needed. Going for the minimalist approach :) Best Regards, Tamim ruby n00bie Daniel Jilg wrote:> How about Contact.find((params[:id]).to_i) ? Cant inject much with only > numbers.... > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 8/27/06, Tamim Azizadah <taz-TOmwmVgPDaxWk0Htik3J/w@public.gmane.org> wrote:> > I know that doing something like this leaves you totally open to SQL > injection attacks: > > contacts = Contact.find(:all, :conditions => "name = #{params[:name]") > > and should be written this way instead: > > contacts = Contact.find(:all, :conditions => ["name = ?", params[:name]]) > > but is this safe?: > > contact = Contact.find(params[:id]) > > or should that be written as?: > > contact = Contact.find(:first, :conditions => ["id = ?", params[:id]])Contact.find(params[:id]) sanitizes its input as you expect. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 8/27/06, Tamim Azizadah <taz-TOmwmVgPDaxWk0Htik3J/w@public.gmane.org> wrote:> > That''s an excellent idea as well! I guess I was just curious whether the > find by id was safe to start with. I don''t want to add extra code if not > needed. Going for the minimalist approach :) > > Best Regards, > > Tamim > ruby n00bie > > Daniel Jilg wrote: > > How about Contact.find((params[:id]).to_i) ? Cant inject much with only > > numbers....However, ''abc''.to_i == 0. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Thanks for the clarification. That makes life much easier. Best Regards, Tamim ruby n00bie Jeremy Kemper wrote:> On 8/27/06, *Tamim Azizadah* <taz-TOmwmVgPDaxWk0Htik3J/w@public.gmane.org > <mailto:taz-TOmwmVgPDaxWk0Htik3J/w@public.gmane.org>> wrote: > > I know that doing something like this leaves you totally open to SQL > injection attacks: > > contacts = Contact.find(:all, :conditions => "name > = #{params[:name]") > > and should be written this way instead: > > contacts = Contact.find(:all, :conditions => ["name = ?", > params[:name]]) > > but is this safe?: > > contact = Contact.find(params[:id]) > > or should that be written as?: > > contact = Contact.find (:first, :conditions => ["id = ?", > params[:id]]) > > > Contact.find(params[:id]) sanitizes its input as you expect. > > jeremy > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Jeremy, thanks for the clarification that Model.find(id) sanitizes id, I didn''t know that as well!> However, ''abc''.to_i == 0Isn''t that the point? everything that isnt a number just gets replaced by 0. The only thing you can do then as an attacker is to fetch non-existant rows, which doesnt hurt the application too much. Of course, this approach is not needed at all, with Model.find sanitizing the id anyways... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 8/28/06, Daniel Jilg <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > Jeremy, > > thanks for the clarification that Model.find(id) sanitizes id, I didn''t > know that as well! > > > However, ''abc''.to_i == 0 > > Isn''t that the point? everything that isnt a number just gets replaced > by 0. The only thing you can do then as an attacker is to fetch > non-existant rows, which doesnt hurt the application too much.Because a record with id 0 may exist, whereas a record with id ''abc'' cannot. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---