Security issue dealing with comment posting - anyone?


This is how I’m posting comments currently. This works, but I read
somewhere that I shouldn’t inject params right into my sql query,
because it makes it easy for people to hack in and ruin the db. I’m not
sure if this even makes sense, but I’ve tried other things, and can’t
get anything else to work.


def comments
content = Content.find(params[:id])
@comment =[:comment])
content.comments << @comment
if then
@comment_count = Comment.count(“content_id=#{params[:id]}”)
render :text => “Error”

#what i’ve tried

def comments

if then
@comment_count = Comment.count(:conditions => [“content_id=?”,


This doesn’t work, and I’ve tried variations thereof (@param[:id],

Any ideas? Or is it even worth worrying about?



Have you tried params[:id] (no #{} and no @)?

That should be what you need to use.



Justin B. wrote:

Have you tried params[:id] (no #{} and no @)?

That should be what you need to use.


Ok, thanks. I thought that I tried that, but maybe not. Also, I should
mention that the ‘@params[:id]’ option didn’t give errors, but my Ajax
call never seemed to complete.

I have a ‘spinner.gif’ image to show while loading, and it never stops,
which tells me that it’s never coming back from the call. If I use the
(“content_id=#{params[:id]}”) option, it returns from the call.

Does it make any sense to you (or anyone) why the @params[:id] or
params[:id] options would prevent my ajax call from completing? Is it
something with the way I’m checking for errors (if

I’m fairly new to Ruby and Rails, so my questions may seem a little

Also, is it better to use (:conditions => [ “content_id=?”, params[:id]
]) instead of (“content_id=#{params[:id]}”)??? Are there security
issues there? Or does it really matter since I’m only getting a count
of the comments, and it’s not really inserting or editing anything?

Thanks for any advice/tips/suggestions.