Forum: Ruby on Rails Security issue dealing with comment posting - anyone?

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
rh (Guest)
on 2006-03-17 17:53
This is how I'm posting comments currently.  This works, but I read
somewhere that I shouldn't inject params right into my sql query,
because it makes it easy for people to hack in and ruin the db.  I'm not
sure if this even makes sense, but I've tried other things, and can't
get anything else to work.


def comments
    content = Content.find(params[:id])
    @comment =[:comment])
    content.comments << @comment
    if then
      @comment_count = Comment.count("content_id=#{params[:id]}")
      render :text => "Error"

#what i've tried

def comments
    if then
      @comment_count = Comment.count(:conditions => ["content_id=?",

This doesn't work, and I've tried variations thereof (@param[:id],

Any ideas?  Or is it even worth worrying about?

Justin B. (Guest)
on 2006-03-17 18:03
(Received via mailing list)
Have you tried params[:id] (no #{} and no @)?

That should be what you need to use.

rh (Guest)
on 2006-03-17 19:28
Justin B. wrote:
> Have you tried params[:id] (no #{} and no @)?
> That should be what you need to use.
> Justin

Ok, thanks.  I thought that I tried that, but maybe not.  Also, I should
mention that the '@params[:id]' option didn't give errors, but my Ajax
call never seemed to complete.

I have a 'spinner.gif' image to show while loading, and it never stops,
which tells me that it's never coming back from the call.  If I use the
("content_id=#{params[:id]}") option, it returns from the call.

Does it make any sense to you (or anyone) why the @params[:id] or
params[:id] options would prevent my ajax call from completing?  Is it
something with the way I'm checking for errors (if

I'm fairly new to Ruby and Rails, so my questions may seem a little

Also, is it better to use (:conditions => [ "content_id=?", params[:id]
]) instead of ("content_id=#{params[:id]}")???  Are there security
issues there?  Or does it really matter since I'm only getting a count
of the comments, and it's not really inserting or editing anything?

Thanks for any advice/tips/suggestions.
This topic is locked and can not be replied to.