Patrick is 100% right. And he's not even being paranoid, it is almost
guaranteed that someone will try this.
This is how I would do it, and as Patrick suggests, put it in helper:
if (%w(low medium high).include? params[:id]
instance_variable_set("@#{params[:id]}", user.send(params[:id]))
else
# somebody is being really naughty, blow up their computer
end
You can then get the instance variable by invoking
instance_variable_get("@#{params[:id]}")
On Feb 5, 12:02 pm, Patrick Doyle <[email protected]> wrote:
> Be careful here, depending on your user base of course.
>
> What will you do if {params[:id]} (I know, incorrect syntax), evaluates to
> "delete!" or something else.
>
> If you have a completely trustworthy user base (such as only you, or only
> your colleagues, whom you should trust implicitly, otherwise, why would you
> want to work with them), then once you figure out the right syntax (which
> probably involves the use of #send, or something like that), you should be
> fine.
>
> If you are exposing this to the wild world wide web (WWWW), then I would
> recommend against this.
>
> You would probably be better off writing a helper function that mapped
> params[:id] into one of the acceptable values. Perhaps something like:
>
> def better_form_of_low(user, id)
> case id
> when :low
> user.low
>
> when :high
> user.high
> end
>
> and call that with better_form_of_low(@user, params[:id])
>
> just my $.02 from my paranoid mind :-)
>
> --wpd
>
> On Thu, Feb 5, 2009 at 11:38 AM, Tom Ha
> <[email protected]>wrote:
>
>
>
> > Well, basically *everywhere* where it says "low" in the below code
> > example:
>
> > The "resulting" code...
> > ==========================
> > if @user.low == true
> > �...@low = false
> > elsif @user.low == false
> > �...@low = true
> > end
>
> > [...]
> > ==========================
>
> > ...is supposed to be "generated" by something like this... (which is NOT
> > yet correct syntax)
>
> > ==========================
> > if @user.{params[:id]} == true
> > �...@{params[:id]} = false
> > elsif @user.{params[:id]} == false
> > �...@{params[:id]} = true
> > end
>
> > [...]
> > ==========================
>
> > Thanks for your help!
> > --
> > Posted viahttp://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
