similar to: sql injection

I am trying to use the new Rails 2.0 macro : rescue_from class PostsController < ApplicationController rescue_from ActiveRecord::RecordNotFound, :with => :deny_access ... def show @post = Post.find_by_id(params[:id]) raise ActiveRecord::RecordNotFound if @post.nil? #illegal access ..... end def deny_access respond_to do |format| format.html end end but the

I''m trying to do something like: SELECT * FROM attachment WHERE filename LIKE ''%whatever%''; so my code is: @search = params[:search] @attachments = Attachment.find(:all, :conditions => ["filename LIKE ''%?%''", @search.to_s]) but that''s converting to: SELECT * FROM attachments WHERE (filename LIKE

Hi, Thest are two methods:- 1) redirect_to :action => ''list'' 2) render :action => ''list'' what is difference between these two methods?????? Thanks. Prash -- Posted via http://www.ruby-forum.com/.

Hi all, I just watched the rail video: http://www.rubyonrails.org/media/video/rails_take2_with_sound.mov I am just curious. I can tell that the video was done on a Mac, but I cannot tell which applications were used for editing the code, and for interfacing with MySQL database. As far as editing source code, I normally use BBEdit (I''ve used it since 1994), but the editor used in

I am pondering the possibility of encrypting/decrypting some fields in a SQLite backend on-the-fly. The point of the message is not security, I know that''s broken, but whether there''s a technique that provides on-the-fly save/read filters. Of course the solution would need to work transparently in joins, so user.posts.last.title would do the right thing if title

I would like to embed my login form on my app''s home page. What''s the best way to render the login action of member controller from another action? Thanks Frank --------------------------------- Relax. Yahoo! Mail virus scanning helps detect nasty viruses! -------------- next part -------------- An HTML attachment was scrubbed... URL:

I know that Mongrel is a web server that hosts rails applications. But i don''t understand what part Lighttpd (or Apache) has in the setup. I know that you can use Mongrel on its own. What does Lighttpd improve on? Thanks, Chris -- Posted via http://www.ruby-forum.com/.

I want to create table called roles and then populate it with some new records...This doesn''t work. Is there something I''m missing? Craig class AddRightsAndRolesTables < ActiveRecord::Migration def self.up create_table :roles do |t| t.column "name", :string end Role.reset_column_information Role.new :name => "Users Admin"

I want to load about 14000 words (a subset of /usr/share/dict/words) into a MySQL table in a migration: class CreateWords < ActiveRecord::Migration def self.up create_table :words, :force => true do |t| t.column :word, :string end say_with_time ''loading words...'' do words = File.join(RAILS_ROOT, ''db'',

I''d like to find all records that have a certain integer as their "level" field in the database. I know how to find all the records: allquestions = Question.find(:all) ...and I know how to find the one record that has a certain id: allquestions = Question.find(params[:id]) ...but how do you find all the records that share a certain value in one of their fields? I tried

HI guys, I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks: scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", name.downcase) } I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation

I have a SQL Server column named StartTime of (SQL Server) type datetime If I attempt to set the attribute using public def StartTime=(time) write_attribute(:StartTime, "{ts ''1899-12-30 #{time.hour}:#{time.min}:#{time.sec}''}") end it''s inserting a NULL value. Anyone else able to successfully insert a date time value into a SQL Server table using

I read in the instructions of Tracks that "upgrading via the rake migrate command is quite a bit more tricky currently with SQLite and SQLite3". Is there any gotcha regarding migrations and SQLite3? -- fxn

I am using mongrel_cluster with mod_proxy_balancer and would like to enable compression (assuming it improves throughtput) and limit file size upload. I configured mod_deflate and LimitRequestSize in Apache, but in my trials looks like the proxied calls bypass those directives (the conf goes below). Is there a way to get this? -- fxn # Adapt this .example locally, as usual. # # To be

obviously, follow code is not working <p> <% if !@group.users.find(session[:user].id) %> <%= link_to "Join This Group", :action => "join", :id => @group %> <% end %> </p> "find" always throw an exception. I want to display the link of "find" fails, what is the right way to do this? Thanks. -- Posted via

A view display.rhtml sees no controller state variables set in the corresponding display action. Why? -- fxn

I have an application with 15 migrations under version control. In a Mac and and in a Windows, a rake migrate from scratch runs them all just fine. But in a different Windows machine rake migrate stops after migration 3 for no apparent reason. --trace seems normal. No error is reported. Both Windows are XP SP2. They all have the same svn revision and Rails-related software, database is

Hello everbody, doing a #find(:first,an_id) with Rails 1.1.0 I expected that find returns the record which id mathches the given parameter an_id or nil if it couldn''t be found. This behaviour is documented on api.rubyonrails.org. But the find returns the first available object and not nil if an_id is not in the db. Is the doc on rubyonrails.org out of sync? Greetings, -- Daniel

Hello, I felt annoyed enough when having to redirect user back to their previous location in a hackish way that I wrote this plugin. It avoids storing POST and Ajax request. It also has a facility to specify actions not to store in the history. If you are interested, it''s there: http://blog.cosinux.org/pages/rails-history See you all, Damien -- Damien MERENNE

I know how to avoid SQL injection attacks when you use :conditions User.find :first, :conditions => ["login=?", params[:username]] but how about with :order, :limit or :group? # uh-oh...spaghetti-oh User.find :first, :order => "login; delete from users; select * from users" Pat --~--~---------~--~----~------------~-------~--~----~ You received this message because you