I have this code inside the account controller in the "destroy" method
def destroy
@account = Account.find(params[:id])
@portal = Portal.find(:all, :conditions => ['account_id = ?',
@account.id ])
@portal.destroy@account.destroy
end
any ideas?
the error displays this:
NoMethodError in AccountsController#destroy
undefined method `destroy' for #<Array:0x47982a0> app/controllers/
accounts_controller.rb:78:in `destroy'
Request
It's not a bad idea if you're passing an id direct into params. I do
believe in this format it's properly sanitized already.
It converts it using the "to_i" function, because it assumes a primary
key lookup. "to_i" will yield to an integer value of 0 when applied to
a string.
There's absolutely no problem with passing a param value directly into
find using this method of find.
If you're passing it in as a condition, however, then yes, use the
question-mark or named-param method which will sanitize it better.
Julian.
Learn Ruby on Rails! Check out the FREE VIDS (for a limited time)
VIDEO #4 parts a and b now available!
http://sensei.zenunit.com/
I said it's a bad _habit_ to get into, and it is. The day will come
when you will make a custom route with a fairly liberal regular
expression that will allow an SQL exploit. It's best to just never
develop the habit of trusting params to begin with.
I may be wrong here, but the primary problem seems to be being able to
delete arbitrary accounts (in this case) by passing in the right
parameters. You might want to limit the scope of the delete to the
current user like this:
class ApplicationController < ActionController::Base
def current_user
@current_user ||= User.find session[:user_id] if
!session[:user_id].blank?
end
end
