ruby - Rails user params only allows some certain attributes -
in controller have:
if params[:sort].nil? @sort = "created_at" else @sort = params[:sort] end @konkurrencer = konkurrencer.where("id not in(?)", @clicked).order("#{@sort} desc") i add if params[:sort] different "created_at", "ratings", or "rating" should sort after "created_at".
first, .order("#{@sort} desc") isn't idea when @sort taken straight params. better use .order('? desc', @sort).
http://guides.rubyonrails.org/security.html#sql-injection
i'm not sure if read question correctly i'm assuming want created_at default order other valid options being ratings , rating.
@order = case params[:sort] when 'ratings' 'ratings desc' when 'rating' 'rating desc' else # else 'created_at desc' end @konkurrencer = konkurrencer.where("id not in(?)", @clicked).order(@order)
Comments
Post a Comment