Greetings Railers,
I have a many-many defined as habtm from both sides of the equation.
I’ve also set the join table with appropriate belongs_to defines.
I followed this example to make it work,
jrhicks.net/Projects/rails/has_many_and_belongs_to_many.pdf
which does work, for maintaining the many-many relationship records.
the relevant line is
@A.Bs = B.find(@params[:A_ids]) if @params[:A_ids]
but the problem is that in my many-many table I have a “created_on”
field, as I’d like to track when this relationship is created.
Unfortunately this field is not getting auto-magically filled.
So, I’m wondering if this is due to the many-many type relationship not
allowing (or supporting) this type of thing. Or is it the technique I’m
using to maintain the relationship?
Or perhaps there is something completely different I’m not aware of,
entirely possible as I’ve been doing Rails work for all of 2 weeks now.
Hi,
Unfortunately this field is not getting auto-magically filled.
So, I’m wondering if this is due to the many-many type relationship not
allowing (or supporting) this type of thing. Or is it the technique I’m
using to maintain the relationship?
I had a similar problem a few weeks ago. With a simple
has_and_belongs_to_many, you can’t do what you want in Rails.
Or perhaps there is something completely different I’m not aware of,
entirely possible as I’ve been doing Rails work for all of 2 weeks now.
There is indeed something different, two things in fact. The first is
called push_with_attributes, and I never got quite behind how it works.
It’s also deprecated by now, so you really shouldn’t use it. The second
is the quite elegant has_many :through association.
Have a look at this article:
http://blog.hasmanythrough.com/articles/2006/04/20/many-to-many-dance-off
Which should give you good pointers, just as it did with me.
HTH,
Daniel
I know that doing something like this leaves you totally open to SQL
injection attacks:
contacts = Contact.find(:all, :conditions => “name = #{params[:name]”)
and should be written this way instead:
contacts = Contact.find(:all, :conditions => [“name = ?”,
params[:name]])
but is this safe?:
contact = Contact.find(params[:id])
or should that be written as?:
contact = Contact.find(:first, :conditions => [“id = ?”, params[:id]])
Thanks.
Best Regards,
Tamim
That’s an excellent idea as well! I guess I was just curious whether the
find by id was safe to start with. I don’t want to add extra code if not
needed. Going for the minimalist approach
Best Regards,
Tamim
ruby n00bie
How about Contact.find((params[:id]).to_i) ? Cant inject much with only
numbers…
On 8/27/06, Tamim A. [email protected] wrote:
but is this safe?:
contact = Contact.find(params[:id])
or should that be written as?:
contact = Contact.find(:first, :conditions => [“id = ?”, params[:id]])
Contact.find(params[:id]) sanitizes its input as you expect.
jeremy
Thanks for the clarification. That makes life much easier.
Best Regards,
Tamim
ruby n00bie
Jeremy,
thanks for the clarification that Model.find(id) sanitizes id, I didn’t
know that as well!
However, ‘abc’.to_i == 0
Isn’t that the point? everything that isnt a number just gets replaced
by 0. The only thing you can do then as an attacker is to fetch
non-existant rows, which doesnt hurt the application too much.
Of course, this approach is not needed at all, with Model.find
sanitizing the id anyways…
On 8/27/06, Tamim A. [email protected] wrote:
Daniel J. wrote:
How about Contact.find((params[:id]).to_i) ? Cant inject much with only
numbers…
However, ‘abc’.to_i == 0.
jeremy
On 8/28/06, Daniel J. [email protected] wrote:
by 0. The only thing you can do then as an attacker is to fetch
non-existant rows, which doesnt hurt the application too much.
Because a record with id 0 may exist, whereas a record with id ‘abc’
cannot.
jeremy