For various reasons, it would be nice if AR updates could be done selectively. So, for example, if I do Customer.update(id, @params["customer"]), then it would be very convenient if the columns mentioned in @params["customer"] were updated, but no others. One reason for this is because I have a legacy database for which some data might not quite fit my current validation model (which is OK). To reduce the information on the screen, I want to split the update into several different screens, each responsible for some of the fields. With validation, any legacy data that doesn''t match my current validation constraints will cause an error, even if the user is not updating the field in error (and it''s not even displayed on the form). Another reason, again with this legacy database, is that the customer''s account balance is stored right in the customer record. This should never be updated from a form, so it makes sense to not include that value, ever, in the actual SQL to update the customer. I realize that with appropriate locking and/or transactions, problems can be avoided. Nevetheless, it''s more conservative and safer not to be overwriting with a potentially stale value every time you update the customer record. It''d also be more efficient because, I suppose, AR must actually read the db to fill in any missing values. What do other people think about this issue? Bob
> What do other people think about this issue?You have the go ahead to look into a patch to do selective updating ;) -- David Heinemeier Hansson, http://www.basecamphq.com/ -- Web-based Project Management http://www.rubyonrails.org/ -- Web-application framework for Ruby http://macromates.com/ -- TextMate: Code and markup editor (OS X) http://www.loudthinking.com/ -- Broadcasting Brain
Great idea! Micah On Thu, 13 Jan 2005 16:44:40 -0800, Bob Sidebotham <bob.sidebotham-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> For various reasons, it would be nice if AR updates could be done > selectively. So, for example, if I do Customer.update(id, > @params["customer"]), then it would be very convenient if the columns > mentioned in @params["customer"] were updated, but no others. > > One reason for this is because I have a legacy database for which some > data might not quite fit my current validation model (which is OK). To > reduce the information on the screen, I want to split the update into > several different screens, each responsible for some of the fields. > With validation, any legacy data that doesn''t match my current > validation constraints will cause an error, even if the user is not > updating the field in error (and it''s not even displayed on the form). > > Another reason, again with this legacy database, is that the > customer''s account balance is stored right in the customer record. > This should never be updated from a form, so it makes sense to not > include that value, ever, in the actual SQL to update the customer. I > realize that with appropriate locking and/or transactions, problems > can be avoided. Nevetheless, it''s more conservative and safer not to > be overwriting with a potentially stale value every time you update > the customer record. It''d also be more efficient because, I suppose, > AR must actually read the db to fill in any missing values. > > What do other people think about this issue? > > Bob > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
In the following view:
----
<% for todo in @todos %>
<tr>
<% for column in Todo.content_columns %>
<td><%=h todo[column.name] %></td>
<% end %>
<td><%= link_to ''Show'', :action =>
''show'', :id => todo.id %></td>
<td><%= link_to ''Edit'', :action =>
''edit'', :id => todo.id %></td>
<td><%= link_to ''Destroy'', :action =>
''destroy'', :id => todo.id %></td>
</tr>
<% end %>
----
What does "<%=h" do? I don''t see any difference when I
change it to "<%=".
Trevor wrote:> What does "<%=h" do? I don''t see any difference when I change it to "<%=".h() is an alias for html_escape() in erb.rb Tim. -- Tim Bates tim-kZbwfhiKUx26c6uEtOJ/EA@public.gmane.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trevor wrote:> What does "<%=h" do? I don''t see any difference when I change it to "<%=".It escapes HTML entities: ''<'' maps to ''<'', etcetera. jeremy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB6ClWAQHALep9HFYRAmFqAJ4nxs59oab5NtF4DPFVCJPqCLhrqgCfZxSD sIzay3IXQcpWmRKg/uVge+0=hoHV -----END PGP SIGNATURE-----
Trevor wrote:> What does "<%=h" do? I don''t see any difference when I change it to > "<%=".Prevents HTML injection attacks by converting HTML syntax to entities. If I''m not mistaken, it''s an alias of CGI.escapeHTML -- Best regards, Alexey Verkhovsky Ruby Forum: http://ruby-forum.org (moderator) RForum: http://rforum.andreas-s.net (co-author) Instiki: http://instiki.org (maintainer)