Hi, This is a piece of code found in a fictional Rails controller and model. Please point out any bugs or security problems in the code, fix them, and refactor the code to make it cleaner.
class ProfileController < ApplicationController def show @user = User.find(:first, :conditions => "name = '#{params[:name]}'") @roles = Role.find(:all, :conditions => "user_id = #{@user.id}") end end
class User < ActiveRecord::Base end
class Role < ActiveRecord::Base end
Please help me out.
Hi Srimanta,
Assigning values directly to the DB columns from UI can cause sql injection. To avoid this, I would write this as :
@user = User.find(:first, :conditions => ["name = ?", params[:name]])
I think, your association between User and Role is as follows :
User has many roles Role has many users
For this you may be using the model association as :
class User < ActiveRecord::Base has_many :users_roles has_many :roles, :through => :users_roles end
class Role < ActiveRecord::Base has_many :users_roles has_many :users, :through => :users_roles end
From this, the ProfileController can be written as :
class ProfileController < ApplicationController def show @user = User.find(:first, :conditions => ["name = ?", params[:name]]) @roles = @user.roles end end
Thanks,
Neethu
Sure... how much are you offering to pay for people to do your
fictional homework for you?
:rollseyes: 
Thanks a lot.
Srimanta Chakraborty wrote in post #1043866:
Thanks a lot to Neethu Satheesh. Can you help me once again to answer the following: What problems can arise when users hits the get_pdf action? If there are problems, how can it be solved?
class PdfController < ApplicationController def get_pdf send_data Pdf.create(params[:contents]) end end
class Pdf def self.create(contents) make_pdf(contents) # takes 30 seconds to run end end
Thanks Neethu Satheesh, no need to answer the above question I have solved that problem.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks