This article is the follow up of “Using the Ruby on Rails web framework – How to install Rails and create a simple blog (Part 1)”.

In Part 1 of this tutorial (Step 1 to 8) you looked at how to install Rails on a Hostmonster web account, you set up the database, created and populated tables, and set basic authentication up.

This part of the tutorial will make user participation possible and will add security and styling to the application.

9. Adding comments to the blog

You’ll have to use SSH and scaffolding again (explained in Part 1 of the tutorial)…

… and as usual, the next thing is to run the migration process…

… and this will create the “comments” table in the database…
… and an “entry.rb” model file (… plus many more files we don’t need to care about now). Let’s edit the “entry.rb” model file and add some validation and state that an entry can have many comments…

… and also edit the “comment.rb” model file to state that a comment always belongs to an entry…

The next thing you’ll do is that you change the “routes.rb” file in the ~/myrails/myblog/config folder. You’ll need to edit this bit at the top…

… and change it to…

What you want to do now is to display comments for the articles. It is obvious that you’ll have to edit the entry show view (~/myrails/myblog/app/views/entries/show.html.erb) adding some HTML and a Rails partial to it…

To make the comment partial display, you need to create a new comments view called “_comment.html.erb” (~/myrails/myblog/app/views/comments) and add the following content to it…

Now when you navigate to an entry page, you can see the “Comments” title appearing, but of course as no one has posted a comment yet, there are no comments underneath…
The next step is to add a comment form to the entry pages…
Using Rails this is how you add it (to “_comment.html.erb”) …

You’ll have to make this form work now. Go to the comments controller that the comment scaffold created (~/myrails/myblog/app/controllers/comments_controller.rb), delete all content of the CommentsController class (but leave the class itself) and add the following…

Now if you submit a comment, the page will refresh and the comment will be displayed above the form…

10. Adding simple security to the application

The default model component of Ruby on Rails (Active Record) secures applications against most types of SQL injection. Rails has a built in filter for special SQL characters, which will escape ‘ , ” , the NULL character and line breaks. Where you used the “find()” or “create()” functions in your application, Rails escapes these special characters, so SQL injection can’t happen, for example…

Wherever you used the Rails function “h()” (e.g. in “_comment.html.erb”) your application is also escaping inappropriate HTML to avoid cross-site scripting (XSS) and CSS injection on display…

So when a hacker enters the following comment…

… the database and the browser will store and display the same comment, but the HTML code will be changed to…

Also, the Ruby on Rails website includes a brilliant document on securing Rails applications that web developers can use for their custom security needs.

11. Adding header and footer to the view

Your application currently has two views: entries and comments. You’re going to create an entirely new view for all parts of the blog and the two original views won’t be needed any more. You can delete them, if you want to.

Now create a new view file called “application.html.erb” in ~/myrails/myblog/app/views/layouts/ and place some sample HTML into it adding…

… where the changeable content of the application would go, such as…

Check out how your application looks now, and create a “myblog_style.css” file to edit your applications look. If necessary, you can delete the line linking to the scaffolding style in the view.

Check out the working application here.