search for: m000873

Hi List, I have a table that contains several fields that must be initialized when first created, but may not be altered afterwards (when updating the other fields) because they can be changed by external processes. I noticed that the ActiveRecord update commands (even update_attribute) only seem to work by loading the complete record, changing fields that need to be changed and doing a full

While doing @foo = Bar.new(params[:foo]) in a controller, the application is open to injection attacks. For example, My model has following attributes : name password admin - boolean Now, if on my form I''m just acception name & password, and doing @foo = Bar.new(params[:foo]) in my controller, someone can just enter following in form : <%= text_field ''foo'',

...ing plan to make this not so, anymore. The plan results in: update_attributes params[:shop], {:allow => [:header_color1, :header_color:2]} However Marcel whispers quietly beneath his beard that you can use ActiveRecord#attr_protected ( http://api.rubyonrails.com/classes/ActiveRecord/Base.html#M000873) : class Customer < ActiveRecord::Base attr_protected :credit_rating end but alas this is not what Laszlo had in mind. Tim Lucas closes the thread by providing a wonderful alternative: %w(name email address).each { |f| @person[f] = params[:person][f] } [ http://wrath.rubyonrails.org/piperm...

In console, I am trying to create a User but the :account_id does not come in. Console just gives me back :account_id => nil. Obviously I''m trying to set it though. Silly console... But, I can set the account_id column in my controller like so: @user = User.new(params[:user]) @user.account_id = account.id @user.save Here''s what I give to the controller: User.create :name