获取加载ActiveModel一个:: ForbiddenAttributesError在控制器

Question

我执行在控制器中search方法，和我不断收到此错误：

ActiveModel::ForbiddenAttributesError in TripsController#search 

Extracted source (around line #22): 

的违规行为以下块中：

if params[:search].present? 
    @trips = Trip.where("destination LIKE :destination", {:destination=> "%#{params[:search].first}%"}).where(@filters) 
else 
    @trips = (Trip.where(@filters)) rescue (Trip.where(@filters).paginate(:page => params[:page], :per_page => 10)) 
end 

以下是完整的方法代码：

def search 
    @languages = Trip.pluck(:language).uniq 
    @interests = Trip.pluck(:interests).uniq 
    @destinations = Trip.pluck(:destination).uniq 

    @filters = params.slice(:language,:interests) 
    @search_param = params[:search].first rescue nil 
    @language_param = params[:language] 
    @intersts_param = params[:interests] 

    if params[:search].present? 
     @trips = Trip.where("destination LIKE :destination", {:destination=> "%#{params[:search].first}%"}).where(@filters) 
    else 
     @trips = (Trip.where(@filters)) rescue (Trip.where(@filters).paginate(:page => params[:page], :per_page => 10)) 
    end 
    end 

Answer 1

您需要使用Rails的强大的对米。 即使您不使用参数来创建模型如果您使用params.slice并将结果传递给查询，则Rails将引发异常。

这是使用Rails 4来避免大规模分配漏洞非常积极主动的做法所致。

def search 
    @languages = Trip.pluck(:language).uniq 
    @interests = Trip.pluck(:interests).uniq 
    @destinations = Trip.pluck(:destination).uniq 
    @filters = params.permit(:language,:interests) 
    @search_param = params.permit(search: []) 
    @language_param = @filters[:language] 
    @intersts_param = @filters[:interests] 

    if params[:search].present? 
    # you don't need named placeholders for a single parameter... 
    @trips = Trip.where("destination LIKE ?", params[:search].first) 
       .where(@filters) 
    else 
    @trips = (Trip.where(@filters)) rescue (Trip.where(@filters).paginate(:page => params[:page], :per_page => 10)) 
    end 
end 

但是在.where(@filters)你打破了基本规则，并通过用户输入直接进入SQL查询。

相反，你应该使用这样的：

Trip.where(language: @filters[:language]) 

这将创建一个 “？WHERE trips.language =”使用占位符查询来消除SQL注入漏洞。