validating the whole app against dangerous characters

Hi Harp,

Not an expert so take this with a very large pinch of salt.

If your underlying requirement is to stop SQL Injection type attacks then Ruby by default protects you in many cases.

Code such as User.Find(:parms[id]) would be safe as find would escape the string making it safe.

If you construct SQL code on the fly such as

"Select * from user where name = #{@user.name}"

then its not safe and you should use the bind variable facility which is something like

"Select * from user where name = :user_name', {:user_name => params[:name] }

Otherwise look into filters. It would be possible to use these I think but I am not sure if one can do a before_find filter.

As I say large dose of salt as I am pretty new to this.

Also it would be an idea to get a copy of Agile Web Development with Rails the second edition which is available in PDF form only as it is still in prerelease form it covers these topics. The second edition of this book is much better than the first (not that that was bad).

Regards

Sean