use all and first instead of find(:all) and find(:first)
This commit is contained in:
Vijay Dev
parent
c6b9e47d5c
commit
2801efbc3b
|
|
@ -367,14 +367,14 @@ This helper makes building an ATOM feed easy. Here's a full usage example:
|
|||
*config/routes.rb*
|
||||
|
||||
<ruby>
|
||||
map.resources :posts
|
||||
resources :posts
|
||||
</ruby>
|
||||
|
||||
*app/controllers/posts_controller.rb*
|
||||
|
||||
<ruby>
|
||||
def index
|
||||
@posts = Post.find(:all)
|
||||
@posts = Post.all
|
||||
|
||||
respond_to do |format|
|
||||
format.html
|
||||
|
|
@ -809,7 +809,7 @@ end
|
|||
Sample usage (selecting the associated Author for an instance of Post, +@post+):
|
||||
|
||||
<ruby>
|
||||
collection_select(:post, :author_id, Author.find(:all), :id, :name_with_initial, {:prompt => true})
|
||||
collection_select(:post, :author_id, Author.all, :id, :name_with_initial, {:prompt => true})
|
||||
</ruby>
|
||||
|
||||
If @post.author_id is already 1, this would return:
|
||||
|
|
@ -910,7 +910,7 @@ Create a select tag and a series of contained option tags for the provided objec
|
|||
Example with @post.person_id => 1:
|
||||
|
||||
<ruby>
|
||||
select("post", "person_id", Person.find(:all).collect {|p| [ p.name, p.id ] }, { :include_blank => true })
|
||||
select("post", "person_id", Person.all.collect {|p| [ p.name, p.id ] }, { :include_blank => true })
|
||||
</ruby>
|
||||
|
||||
could become:
|
||||
|
|
|
|||
|
|
@ -1135,7 +1135,7 @@ h6(#has_many-collection-find). <tt><em>collection</em>.find(...)</tt>
|
|||
The <tt><em>collection</em>.find</tt> method finds objects within the collection. It uses the same syntax and options as +ActiveRecord::Base.find+.
|
||||
|
||||
<ruby>
|
||||
@open_orders = @customer.orders.find(:all, :conditions => "open = 1")
|
||||
@open_orders = @customer.orders.all(:conditions => "open = 1")
|
||||
</ruby>
|
||||
|
||||
NOTE: Starting Rails 3, supplying options to +ActiveRecord::Base.find+ method is discouraged. Use <tt><em>collection</em>.where</tt> instead when you need to pass conditions.
|
||||
|
|
@ -1564,7 +1564,7 @@ h6(#has_and_belongs_to_many-collection-find). <tt><em>collection</em>.find(...)<
|
|||
The <tt><em>collection</em>.find</tt> method finds objects within the collection. It uses the same syntax and options as +ActiveRecord::Base.find+. It also adds the additional condition that the object must be in the collection.
|
||||
|
||||
<ruby>
|
||||
@new_assemblies = @part.assemblies.find(:all,
|
||||
@new_assemblies = @part.assemblies.all(
|
||||
:conditions => ["created_at > ?", 2.days.ago])
|
||||
</ruby>
|
||||
|
||||
|
|
|
|||
|
|
@ -269,7 +269,7 @@ If you got there by a browser request, the browser tab containing the request wi
|
|||
For example:
|
||||
|
||||
<shell>
|
||||
@posts = Post.find(:all)
|
||||
@posts = Post.all
|
||||
(rdb:7)
|
||||
</shell>
|
||||
|
||||
|
|
@ -302,7 +302,7 @@ This command shows you where you are in the code by printing 10 lines centered a
|
|||
3 # GET /posts.xml
|
||||
4 def index
|
||||
5 debugger
|
||||
=> 6 @posts = Post.find(:all)
|
||||
=> 6 @posts = Post.all
|
||||
7
|
||||
8 respond_to do |format|
|
||||
9 format.html # index.html.erb
|
||||
|
|
@ -380,7 +380,7 @@ Any expression can be evaluated in the current context. To evaluate an expressio
|
|||
This example shows how you can print the instance_variables defined within the current context:
|
||||
|
||||
<shell>
|
||||
@posts = Post.find(:all)
|
||||
@posts = Post.all
|
||||
(rdb:11) instance_variables
|
||||
["@_response", "@action_name", "@url", "@_session", "@_cookies", "@performed_render", "@_flash", "@template", "@_params", "@before_filter_chain_aborted", "@request_origin", "@_headers", "@performed_redirect", "@_request"]
|
||||
</shell>
|
||||
|
|
|
|||
|
|
@ -436,7 +436,7 @@ h4. Model
|
|||
Project.benchmark("Creating project") do
|
||||
project = Project.create("name" => "stuff")
|
||||
project.create_manager("name" => "David")
|
||||
project.milestones << Milestone.find(:all)
|
||||
project.milestones << Milestone.all
|
||||
end
|
||||
</ruby>
|
||||
|
||||
|
|
|
|||
|
|
@ -616,7 +616,7 @@ h5(#sql-injection-introduction). Introduction
|
|||
SQL injection attacks aim at influencing database queries by manipulating web application parameters. A popular goal of SQL injection attacks is to bypass authorization. Another goal is to carry out data manipulation or reading arbitrary data. Here is an example of how not to use user input data in a query:
|
||||
|
||||
<ruby>
|
||||
Project.find(:all, :conditions => "name = '#{params[:name]}'")
|
||||
Project.all(:conditions => "name = '#{params[:name]}'")
|
||||
</ruby>
|
||||
|
||||
This could be in a search action and the user may enter a project's name that he wants to find. If a malicious user enters ' OR 1 --, the resulting SQL query will be:
|
||||
|
|
@ -632,7 +632,7 @@ h5. Bypassing Authorization
|
|||
Usually a web application includes access control. The user enters his login credentials, the web application tries to find the matching record in the users table. The application grants access when it finds a record. However, an attacker may possibly bypass this check with SQL injection. The following shows a typical database query in Rails to find the first record in the users table which matches the login credentials parameters supplied by the user.
|
||||
|
||||
<ruby>
|
||||
User.find(:first, "login = '#{params[:name]}' AND password = '#{params[:password]}'")
|
||||
User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'")
|
||||
</ruby>
|
||||
|
||||
If an attacker enters ' OR '1'='1 as the name, and ' OR '2'>'1 as the password, the resulting SQL query will be:
|
||||
|
|
@ -648,7 +648,7 @@ h5. Unauthorized Reading
|
|||
The UNION statement connects two SQL queries and returns the data in one set. An attacker can use it to read arbitrary data from the database. Let's take the example from above:
|
||||
|
||||
<ruby>
|
||||
Project.find(:all, :conditions => "name = '#{params[:name]}'")
|
||||
Project.all(:conditions => "name = '#{params[:name]}'")
|
||||
</ruby>
|
||||
|
||||
And now let's inject another query using the UNION statement:
|
||||
|
|
@ -675,13 +675,13 @@ Ruby on Rails has a built-in filter for special SQL characters, which will escap
|
|||
Instead of passing a string to the conditions option, you can pass an array to sanitize tainted strings like this:
|
||||
|
||||
<ruby>
|
||||
Model.find(:first, :conditions => ["login = ? AND password = ?", entered_user_name, entered_password])
|
||||
Model.first(:conditions => ["login = ? AND password = ?", entered_user_name, entered_password])
|
||||
</ruby>
|
||||
|
||||
As you can see, the first part of the array is an SQL fragment with question marks. The sanitized versions of the variables in the second part of the array replace the question marks. Or you can pass a hash for the same result:
|
||||
|
||||
<ruby>
|
||||
Model.find(:first, :conditions => {:login => entered_user_name, :password => entered_password})
|
||||
Model.first(:conditions => {:login => entered_user_name, :password => entered_password})
|
||||
</ruby>
|
||||
|
||||
The array or hash form is only available in model instances. You can try +sanitize_sql()+ elsewhere. _(highlight)Make it a habit to think about the security consequences when using an external string in SQL_.
|
||||
|
|
|
|||
Loading…
Reference in New Issue