This is how I’m posting comments currently. This works, but I read
somewhere that I shouldn’t inject params right into my sql query,
because it makes it easy for people to hack in and ruin the db. I’m not
sure if this even makes sense, but I’ve tried other things, and can’t
get anything else to work.
#currently
def comments
content = Content.find(params[:id]) @comment = Comment.new(params[:comment])
content.comments << @comment
content.save
if @comment.save then @comment_count = Comment.count(“content_id=#{params[:id]}”)
render_without_layout
else
render :text => “Error”
end
end
#what i’ve tried
def comments
…
if @comment.save then @comment_count = Comment.count(:conditions => [“content_id=?”,
#{params[:id]}])
render_without_layout
else
…
end
This doesn’t work, and I’ve tried variations thereof (@param[:id], @params[:id]).
Ok, thanks. I thought that I tried that, but maybe not. Also, I should
mention that the ‘@params[:id]’ option didn’t give errors, but my Ajax
call never seemed to complete.
I have a ‘spinner.gif’ image to show while loading, and it never stops,
which tells me that it’s never coming back from the call. If I use the
(“content_id=#{params[:id]}”) option, it returns from the call.
Does it make any sense to you (or anyone) why the @params[:id] or
params[:id] options would prevent my ajax call from completing? Is it
something with the way I’m checking for errors (if @comment.save
then…)?
I’m fairly new to Ruby and Rails, so my questions may seem a little
ridiculous.
Also, is it better to use (:conditions => [ “content_id=?”, params[:id]
]) instead of (“content_id=#{params[:id]}”)??? Are there security
issues there? Or does it really matter since I’m only getting a count
of the comments, and it’s not really inserting or editing anything?
Thanks for any advice/tips/suggestions.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.