Home/ Questions/Q 6613019
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T20:10:04+00:00

So, this is really a Rails pattern question. I have a Rails 3.0.9 application

  • 0

So, this is really a Rails pattern question.

I have a Rails 3.0.9 application that works, and well. We’re using Airbrake to detect and report errors, and that’s helped tune the last few leaks in the program design.

Only, now it gets attacked by robots (Google, crawlers, etc) with bad input. 

ActiveRecord::StatementInvalid: PGError: ERROR: invalid input syntax for integer: 
"google_ads_dbg" LINE 1: ....message_thread_id WHERE "message_threads"."id" = 
'google_ad... ^ : SELECT "message_threads".* FROM "message_threads" INNER JOIN    
"message_thread_users" ON "message_threads".id = "message_thread_users".message_thread_id 
WHERE "message_threads"."id" = 'google_ads_dbg' AND (("message_thread_users".user_id = 
33899)) LIMIT 1

The restful routes:

resource :inbox do
  resources :messages
end

The first line of the MessagesController#show

@message_thread = current_user.message_threads.find(params[:id])

Do I prefix every .find params[:id] call to validate the integer-ness of the input? Do I tack-on :constraints => {:id => /[0-9]+/} to every resource line in my routes.rb ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can supply the constraints for multiple resources at once.

    scope :constraints => { :id => /\d+/ } do
  resources :inbox do
    resources :messages
  end
end

    This makes most sense to me. You could validate the integer in before-filters in your controllers, but I think that’s a messy alternative given your situation.

    • 0