rails 3控制器选择型号

时间:2011-09-15 04:47:09

标签: ruby-on-rails ruby-on-rails-3

我的控制器中有一些不能正常工作的东西。

我的控制器

  if params[:commit]
  @search = Building.select('buildings.id, buildings.slug, floors.id, spaces.id, buildings.name, floors.floor_number, spaces.space_number').joins('INNER JOIN floors ON floors.building_id = buildings.id INNER JOIN spaces ON spaces.floor_id = floors.id')
  @search = @search.where("buildings.name like '%#{params[:building_name]}%'") if !params[:building_name].blank?
  #@search = @search.where("buildings.name like ?", params[:building_name]) if !params[:building_name].blank?
  if params[:space_type].present?
    @search = @search.where("spaces.space_type_id = ?", params[:space_type][:space_type_id]) if !params[:space_type][:space_type_id].blank?
  end
  @search = @search.where("floors.min_net_rent >= #{params[:floor_min_rent]}") if !params[:floor_min_rent].blank?
  @search = @search.where("floors.max_net_rent <= #{params[:floor_max_rent]}") if !params[:floor_max_rent].blank?

  @building = @search
else
  @building = ''

end

我的模特

class Building < ActiveRecord::Base

  has_many :floors

end


class Floor < ActiveRecord::Base

  belongs_to :building
  has_many :space

end

class Space < ActiveRecord::Base
  belongs_to :floor
end

debug&lt;%= debug @building%&gt;回来我

[#<Building id: 9, name: "234234", slug: nil>] (as example)

但我想获得有关地板和空间的信息。

有人知道如何解决这个问题?

感谢。

3 个答案:

答案 0 :(得分:0)

尝试使用[]

例如

@orders = Order.select("orders.*, cities.name AS city_name, countries.name AS country_name, customers.account_id as customer_acc").
      joins("LEFT JOIN customers ON customers.id = orders.customer_id").
      joins("LEFT JOIN cities ON orders.city_id = cities.id").
      joins("LEFT JOIN countries ON cities.country_id = countries.id")

在视图中:

<tbody>
    <% @orders.each do |order| %>
        <tr class="">
            <td><%= order[:country_name] %></td>
            <td><%= order[:city_name] %></td>
        <td><%= order.type_code %></td>
            <td><%= order[:customer_acc] %></td>
        <td><%= order.detail %></td>
        <td><%= order.number %></td>
            <td><%= order.expire_date %></td>
        <td><%= order.status %></td>
        </tr>
    <% end %>
  </tbody>

答案 1 :(得分:0)

使用select(),only attributes belonging to your model will be accessible through your record object时。然后,您必须使用@ building.floors,@ floor.building等关联来处理数据。仔细查看the association methods that ActiveRecord creates

我还建议您在寻找有关楼层和空间的信息时,在楼层或空间上开始查询,而不是在建筑物上。

答案 2 :(得分:0)

@neimad,不是您问题的直接答案,但是您可以通过直接在查询中嵌入参数来让自己为SQL injection attacks开放:

即。 

@search = @search.where("buildings.name like '%#{params[:building_name]}%'") if !params[:building_name].blank?
如果我将params[:building_name]设置为恶意内容,则

容易受到攻击。

使用

@search = @search.where("buildings.name like ?", "%#{params[:building_name]}%") if !params[:building_name].blank?
另一方面,

将正确地逃避您的build_name参数。

即使我不是恶意的,搜索建筑物名称:Kristian's Building也会破坏此查询。同样的问题适用于楼层租金最大/最小条件

相关问题
最新问题