activerecord

问题 What are the Rails methods that are vulnerable to SQL injection, and in what form? For example, I know that where with a string argument is vulnerable: Model.where("name = #{params[:name}") # unsafe But a parameterized string or hash is not: Model.where("name = ?", params[:name]) # safe Model.where(name: params[:name]) # safe I'm mostly wondering about where , order , limit and joins , but would like to know about any other methods that might be attack vectors. 回答1: In Rails, where , order ,

问题 I am trying to retrieve an activerecord object from my db. My models are class User < ActiveRecord::Base belongs_to :account has_many :domains, :through => :account end And class Account < ActiveRecord::Base has_many :domains has_many :users end And class Domain < ActiveRecord::Base belongs_to :account end Now I would like to retrieve a user based on the username and a domain name (lets assume that these are attributes of the User and the Domain classes respectively). i.e. something along the

问题 I don't understand why I get the following error: ActiveRecord::AssociationTypeMismatch: User(#29943560) expected, got Fixnum when I do that in rails console: @game = Game.create(:player => 1060, :played => 1061) I just want to create a new Game regarding model associations below. class User < ActiveRecord::Base has_many :game_as_player, :class_name => 'Game', :foreign_key => 'player_id' has_many :game_as_played, :class_name => 'Game', :foreign_key => 'played_id' end class Game < ActiveRecord

问题 How can I select only those Employees who have associated Tag records? In other words, only select employee records that have one or more tag records associated with them. class Employee < ActiveRecord::Base has_and_belongs_to_many :tags end class Tag < ActiveRecord::Base has_and_belongs_to_many :employees end The query below (which is wrong) will give you guys an idea of what I'm trying to do. Employee.includes(:tags).where("tags.id != nil") 回答1: You can use .joins Employee.joins(:tags) The

问题 Is there any way to turn off Rails' SQL query caching globally? Or, at the very least, not use it when i enter a transaction block? Also, does sql query caching only apply to controller actions, or also to rake tasks or background daemons that i write that include Rails and use my models? 回答1: In Rails 5 we can disable active record query cache using the given function as a middleware. In application_controller.rb add the given code. around_action :disable_query_cache def disable_active

问题 I'm currently using Rails 2.3.9. I understand that specifying the :joins option in a query without an explicit :select automatically makes any records that are returned read-only. I have a situation where I would like to update the records and while I've read about different ways to approach it, I was wondering which way is the preferred or "proper" way. Specifically, my situation is that I have the following User model with an active named scope that performs a JOIN with the subscriptions

问题 I have a category with a list of items. The items have a position and the category has a relationship has_many :items, :order => "position". When a user updates a position value, I want to see its position. My position is a float to allow moving between rounded numbers. pos=item.category.items.map(&:id) current_position=pos.index(id.to_i) item.save # want to refresh the relationship here pos_new=item.categoty.items.map(&:id) # grabbing this since just accessing item isn't updated if

问题 Say I have a model called Transaction which has a :transaction_code attribute. I want that attribute to be automatically filled with a sequence number which may differ from id (e.g. Transaction with id=1 could have transaction_code=1000 ). I have tried to create a sequence on postgres and then making the default value for the transaction_code column the nextval of that sequence. The thing is, if I do not assign any value to @transaction.transaction_code on RoR, when I issue a @transaction

问题 Is there a way to have ARel write (sanitized, possibly aliased, etc.) column names into CONCAT() and other SQL functions? Here's how to do it with AVG()... ?> name = Arel::Attribute.new(Arel::Table.new(:countries), :name) => #<struct Arel::Attributes::Attribute [...] ?> population = Arel::Attribute.new(Arel::Table.new(:countries), :population) => #<struct Arel::Attributes::Attribute [...] ?> Country.select([name, population.average]).to_sql => "SELECT `countries`.`name`, AVG(`countries`.

问题 How do you write a NOT EXISTS in Arel? I'm having trouble translating this query into Arel: SELECT * FROM deals WHERE NOT EXISTS ( SELECT 1 FROM reward_deals WHERE reward_deals.deal_id = deal.id AND NOT ( reward_deals.awarding_type = 'deal' AND reward_deals.deal_id = reward_deals.awarding_id ) ) 回答1: Here is the answer, with strange names because I don't know how to give names for a domain that is for me unknown. deals = Deal.arel_table reward_deals = RewardDeal.arel_table awarding_condition=