感谢您对此的帮助。我是 Rails 新手(使用 Rails 2,我知道这并不理想,但它对项目来说是必需的。)我有一个包含多个输入的表单。我想确保保护我的用户免受 SQL 注入。我想我已经妥善处理了它,但我只是想确定一下,尤其是在输入方面。
shoes.html.erb 具有保存到 shoes and socks 表的表格
<% form_for @shoe, :html=>{:id=>'createanOrder'} do |f| %>
<input id="shoe_name" name="shoename" size="30" type="text" value="New Shoe"></p>
<p>Enter a decoration for the top:
<input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>
<p>Or, select a decoration from the list:
<select id="topdecorationdropdown" name="topdecorationdropdown">
<option value="">
<% for allshoe in @allshoe %>
<option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
<% end %>
</select>
</p>
<select multiple id="socks" name="socksselected[]">
<% for sock in @sock %>
<option selected value="<%= sock.name %>">
<%= sock.name %></option>
<% end %>
</select>
<input type="checkbox" name="shipit" id="shipt" checked="true">
<p>Enter a decoration for the bottom:
<input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>
<p>Or, select a decoration from the list:
<select id="bottomdecorationdropdown" name="bottomdecorationdropdown">
<option value="">
<% for allshoe in @allshoe %>
<option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
<% end %>
</select>
</p>
<input type="submit" id="savethisorder" value="Save Order or Update Order">
<% end %>
鞋子控制器
class ShoesController < ApplicationController
# GET /shoes
# GET /shoes.xml
def index
@shoe = Shoe.all
@sock = Sock.all
respond_to do |format|
format.html # index.html.erb
format.xml { render :xml => @shoes }
end
end
# GET /shoes/1
# GET /shoes/1.xml
def show
@shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @shoe }
end
end
# GET /shoes/new
# GET /shoes/new.xml
def new
@shoe = Shoe.new
@sock = Sock.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @shoe }
end
end
# GET /shoes/1/edit
def edit
@shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
respond_to do |format|
format.html # edit.html.erb
format.xml { render :xml => @activity }
end
end
# POST /shoes
# POST /shoes.xml
def create
@shoe = Shoe.new(params[:shoe])
@shoe.name = params[:shoename]
if !params[:topdecorationdropdown].blank?
@shoe.decoration = params[:topdecorationinput]
else
@shoe.decoration = params[:topdecorationdropdown]
topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip)
@shoe.sparkletopdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle
end
socks = params[:socksselected]
socks.each do |sock_info|
sock = Sock.new
sock.sockdescription = sock_info
sock.shoe = @shoe
sockdecoration_array = sock_info.split(',').collect(&:strip)
@sockisaset = Allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})
if @sockisaset
sock.sparkle = Allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle
else
sock.sparkle = nil
end
sock.save
end
if !params[:shipit].blank?
@shoe.shipit = 1
else
@shoe.shipit = 0
end
if !params[:bottomdecorationdropdown].blank?
@shoe.decoration = params[:bottomdecorationinput]
else
@shoe.decoration = params[:bottomdecorationdropdown]
bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip)
@shoe.sparklebottomdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle
end
end
respond_to do |format|
if @shoe.save
format.html { redirect_to "/store" }
format.xml { render :xml => @shoe, :status => :created}
else
format.html { render :action => "new" }
format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity }
end
end
end
# PUT /shoes/1
# PUT /shoes/1.xml
def update
@shoe = Shoe.find(params[:id])
respond_to do |format|
if @shoe.update_attributes(params[:shoe])
flash[:notice] = 'Shoe was successfully updated.'
format.html { redirect_to "/store" }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity }
end
end
end
# DELETE /shoes/1
# DELETE /shoes/1.xml
def destroy
@shoe = Shoe.find(params[:id])
@shoe.destroy
respond_to do |format|
format.html { redirect_to "/store" }
format.xml { head :ok }
end
end
end
鞋型
class Shoe < ActiveRecord::Base
belongs_to :footwear
has_many :socks, :dependent => :destroy
end