Topic: check non-existant items?

Hi all, I currently have a problem where I need to check whether some items exist in the database upon submit.

@items = Item.find(:all)
for item in @items
  if params[:items] != item.name
    error = TRUE
  end
end

if error == TRUE
  render(:text => 'Item does not exist.')
  return
end


This doesn't seem to be working though, it outputs the error even when the items do exist. Am I missing something here?

Re: check non-existant items?

It looks like the error will happen anytime any of the item names in your database don't match the value of params[:items].  I can't imagine that's what you wanted it to do.

How would you explain what you're trying to check for?

Re: check non-existant items?

Thanks for the quick reply,

I've created a list of items in a form (so people can order these), by pulling the items out of the database (items table). What if someone was to add a non-existing item to that list, and then submit the form, and thusly order that non-existing item? So for example let's say the items jeans, jacket, socks are in the database, I wouldn't want anyone to order a shirt, because it's not in the database. Someone could add a shirt to the order form with some html hackery, and then what? That's the problem right there! So I tried to validate the form data against the items from the database, there seems to be a glitch or I'm just using a way too faulty approach!

Last edited by maestro (2006-12-28 11:08:55)

Re: check non-existant items?

first question,

How are you displaying the items?

Depending on what is coming back, checking for this is pretty easy.

Lets say you are building a blog and you want ppl to view your post at the following URL:
/posts/show/22

Now, in normal rails, the controller code would look something like this:

def show
  @posts = Post.find(params[:id])
end

where params[:id] = 22.

Now, you are worried about what happens if some stupid teenage hacker comes along and tries
/posts/show/32123 (or some other random number)

If the post isnt there, Rails will throw a RecordNotFound exception.  This provides us the opportunity to show that script kiddie who is boss.  We rewrite the controller code as such:

def show
  @posts = Post.find(params[:id])
rescue
  redirect_to :action => index
end

We use the rescue to catch the error and go somewhere else.  Sometimes i will add a flash[:warning] if it is necessary, but alot of the times, I find myself just redirecting to the index so that the hacker doesnt know what happened.


hope that helps


--jake

---------------------------------------------------------------------
Rails Development - Agile rails consulting and development for startups on a budget
Flvorful Blog - Some ramblings
Flvorful's Open Source Projects - Some handy hacks for your rails projects.

Re: check non-existant items?

Hi Jake,

This is how I'm showing the items:

<%= form_remote_tag(:update => "form", :url => { :action => "progress" }) %>
  <% @items = Item.find(:all) %>
  <% for item in @items %>
      <%= radio_button_tag("item", item.id) %> <%= item.name %><br />
  <% end %>
  <%= submit_tag(value = "Order") %>
<%= end_form_tag %>

So what if some script kiddie adds another item.id to that, and then order?
I liked the Rescue thingy, but that was for showing the items, what about ordering them?

Re: check non-existant items?

then you would check for it in progress method.

In your progress method, you prolly have something that tries to fetch the actual item from the db (something like @item = Item.find(params[:item_id]), put a begin, rescue block around the call like this:

def progress
  begin
    @item = Item.find(params[:item_id])
  rescue
  end
  # continue processing...
end

When you continue processing, you should check to make sure that @item isnt nil (@item.nil?) otherwise, just skip over that key and continue processing as normal


--jake

---------------------------------------------------------------------
Rails Development - Agile rails consulting and development for startups on a budget
Flvorful Blog - Some ramblings
Flvorful's Open Source Projects - Some handy hacks for your rails projects.