Hi,
This is a piece of code found in a fictional Rails controller and
model.
Please point out any bugs or security problems in the code, fix them,
and refactor the code to make it cleaner.

class ProfileController < ApplicationController
def show
@user = User.find(:first, :conditions => "name =
'#{params[:name]}'")
@roles = Role.find(:all, :conditions => "user_id = #{@user.id}")
end
end

class User < ActiveRecord::Base
end

class Role < ActiveRecord::Base
end

Please help me out.

--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Search Discussions

  • Neethu Satheesh at Feb 3, 2012 at 8:31 am
    Hi Srimanta,

    Assigning values directly to the DB columns from UI can cause sql
    injection. To avoid this, I would write this as :

    @user = User.find(:first, :conditions => ["name = ?", params[:name]])

    I think, your association between User and Role is as follows :

    User has many roles
    Role has many users

    For this you may be using the model association as :


    class User < ActiveRecord::Base
    has_many :users_roles
    has_many :roles, :through => :users_roles
    end

    class Role < ActiveRecord::Base
    has_many :users_roles
    has_many :users, :through => :users_roles
    end
    From this, the ProfileController can be written as :
    class ProfileController < ApplicationController
    def show
    @user = User.find(:first, :conditions => ["name = ?",
    params[:name]])
    @roles = @user.roles
    end
    end

    Thanks,

    Neethu

    --
    Posted via http://www.ruby-forum.com/.

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Srimanta Chakraborty at Feb 3, 2012 at 9:16 am
    Thanks a lot.

    --
    Posted via http://www.ruby-forum.com/.

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Srimanta Chakraborty at Feb 3, 2012 at 9:35 am

    Srimanta Chakraborty wrote in post #1043866:
    Thanks a lot to Neethu Satheesh.
    Can you help me once again to answer the following:
    What problems can arise when users hits the get_pdf action?
    If there are problems, how can it be solved?

    class PdfController < ApplicationController
    def get_pdf
    send_data Pdf.create(params[:contents])
    end
    end

    class Pdf
    def self.create(contents)
    make_pdf(contents) # takes 30 seconds to run
    end
    end
    Thanks Neethu Satheesh, no need to answer the above question I have
    solved that problem.

    --
    Posted via http://www.ruby-forum.com/.

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
  • Michael Pavling at Feb 3, 2012 at 8:51 am

    On 3 February 2012 07:07, Srimanta Chakraborty wrote:
    This is a piece of code found in a fictional Rails controller and
    model.
    Please point out any bugs or security problems in the code, fix them,
    and  refactor the code to make it cleaner.
    Sure... how much are you offering to pay for people to do your
    fictional homework for you?
    :rollseyes: ;-)

    --
    You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
    To post to this group, send email to rubyonrails-talk@googlegroups.com.
    To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouprubyonrails-talk @
categoriesrubyonrails
postedFeb 3, '12 at 7:07a
activeFeb 3, '12 at 9:35a
posts5
users2
websiterubyonrails.org
irc#RubyOnRails

People

Translate

site design / logo © 2022 Grokbase