tags:

views:

184

answers:

2
+1  Q: 

GET params in ruby-on-rails project - best practices?

I've inherited a little rails app and I need to extend it slightly. It's actually quite simple, but I want to make sure I'm doing it the right way...

If I visit myapp:3000/api/persons it gives me a full list of people in XML format. I want to pass param in the URL so that I can return users that match the login or the email e.g. yapp:3000/api/persons?login=jsmith would give me the person with the corresponding login. Here's the code:

def index
  if params.size > 2 # We have 'action' & 'controller' by default
   if params['login']
      @person = [Person.find(:first, :conditions => { :login => params['login'] })]
    elsif params['email']
      @persons = [Person.find(:first, :conditions => { :email => params['email'] })]
    end
  else
    @persons = Person.find(:all)
  end
end

Two questions...

  1. Is it safe? Does ActiveRecord protect me from SQL injection attacks (notice I'm trusting the params that are coming in)?
  2. Is this the best way to do it, or is there some automagical rails feature I'm not familiar with?
A: 

Here's the ruby on rails security guide section on SQL Injection. It looks like what you have, using hash conditions, is pretty safe. Sounds like using Person.find_by_login or Person.find_by_email might be a little better.

Corey  2010-03-25 23:52:57
+3  A: 
  1. Yes, the code you listed should be safe from SQL Injection.
  2. Yes, this is generally acceptable rails code...but

There are some oddities.

Your index action talks about @person and @persons. By convention, @persons is expected, and @person is unusual. I suspect you can eliminate @person, and clear things up in one swoop. Something like this (untested): 

def index
  @persons = if params[:email]
    Person.find_all_by_email(params[:email])
  elsif params[:login]
    Person.find_all_by_login(params[:login])
  else
    Person.all
  end
end

Don't forget to update your view -- I suspect it's still looking for @person. If your view is doing anything "interesting" with @person, you probably want to move it to your show action.

Levi  2010-03-26 04:39:08
note -- find_all_by_xxxx returns an array, which should not be confused with find_by_xxxx, which would return any old match or nil.
Levi  2010-03-26 04:41:05

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?