This is how I''m posting comments currently. This works, but I read
somewhere that I shouldn''t inject params right into my sql query,
because it makes it easy for people to hack in and ruin the db. I''m
not
sure if this even makes sense, but I''ve tried other things, and
can''t
get anything else to work.
#currently
def comments
content = Content.find(params[:id])
@comment = Comment.new(params[:comment])
content.comments << @comment
content.save
if @comment.save then
@comment_count = Comment.count("content_id=#{params[:id]}")
render_without_layout
else
render :text => "Error"
end
end
#what i''ve tried
def comments
...
if @comment.save then
@comment_count = Comment.count(:conditions =>
["content_id=?",
#{params[:id]}])
render_without_layout
else
...
end
This doesn''t work, and I''ve tried variations thereof
(@param[:id],
@params[:id]).
Any ideas? Or is it even worth worrying about?
Thanks.
--
Posted via http://www.ruby-forum.com/.
Justin Blake
2006-Mar-17 16:01 UTC
[Rails] Security issue dealing with comment posting - anyone?
Have you tried params[:id] (no #{} and no @)?
That should be what you need to use.
Justin
On 3/17/06, rh <rheath@ircwv.com> wrote:> This is how I''m posting comments currently. This works, but I
read
> somewhere that I shouldn''t inject params right into my sql query,
> because it makes it easy for people to hack in and ruin the db.
I''m not
> sure if this even makes sense, but I''ve tried other things, and
can''t
> get anything else to work.
>
> #currently
>
> def comments
> content = Content.find(params[:id])
> @comment = Comment.new(params[:comment])
> content.comments << @comment
> content.save
> if @comment.save then
> @comment_count = Comment.count("content_id=#{params[:id]}")
> render_without_layout
> else
> render :text => "Error"
> end
> end
>
> #what i''ve tried
>
> def comments
> ...
> if @comment.save then
> @comment_count = Comment.count(:conditions =>
["content_id=?",
> #{params[:id]}])
> render_without_layout
> else
> ...
> end
>
> This doesn''t work, and I''ve tried variations thereof
(@param[:id],
> @params[:id]).
>
> Any ideas? Or is it even worth worrying about?
>
> Thanks.
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
rh
2006-Mar-17 17:28 UTC
[Rails] Re: Security issue dealing with comment posting - anyone?
Justin Blake wrote:> Have you tried params[:id] (no #{} and no @)? > > That should be what you need to use. > > JustinOk, thanks. I thought that I tried that, but maybe not. Also, I should mention that the ''@params[:id]'' option didn''t give errors, but my Ajax call never seemed to complete. I have a ''spinner.gif'' image to show while loading, and it never stops, which tells me that it''s never coming back from the call. If I use the ("content_id=#{params[:id]}") option, it returns from the call. Does it make any sense to you (or anyone) why the @params[:id] or params[:id] options would prevent my ajax call from completing? Is it something with the way I''m checking for errors (if @comment.save then...)? I''m fairly new to Ruby and Rails, so my questions may seem a little ridiculous. Also, is it better to use (:conditions => [ "content_id=?", params[:id] ]) instead of ("content_id=#{params[:id]}")??? Are there security issues there? Or does it really matter since I''m only getting a count of the comments, and it''s not really inserting or editing anything? Thanks for any advice/tips/suggestions. -- Posted via http://www.ruby-forum.com/.