Problem in Rails Controller and Model

Hi,
  This is a piece of code found in a fictional Rails controller and
model.
  Please point out any bugs or security problems in the code, fix them,
and refactor the code to make it cleaner.

class ProfileController < ApplicationController
  def show
    @user = User.find(:first, :conditions => "name =
'#{params[:name]}'")
    @roles = Role.find(:all, :conditions => "user_id = #{@user.id}")
  end
end

class User < ActiveRecord::Base
end

class Role < ActiveRecord::Base
end

Please help me out.

Hi Srimanta,

Assigning values directly to the DB columns from UI can cause sql
injection. To avoid this, I would write this as :

@user = User.find(:first, :conditions => ["name = ?", params[:name]])

I think, your association between User and Role is as follows :

User has many roles
Role has many users

For this you may be using the model association as :

class User < ActiveRecord::Base
  has_many :users_roles
  has_many :roles, :through => :users_roles
end

class Role < ActiveRecord::Base
  has_many :users_roles
  has_many :users, :through => :users_roles
end

From this, the ProfileController can be written as :

class ProfileController < ApplicationController
  def show
    @user = User.find(:first, :conditions => ["name = ?",
params[:name]])
    @roles = @user.roles
  end
end

Thanks,

Neethu

Sure... how much are you offering to pay for people to do your
fictional homework for you?
:rollseyes: :wink:

Thanks a lot.

Srimanta Chakraborty wrote in post #1043866:

Thanks a lot to Neethu Satheesh.
Can you help me once again to answer the following:
What problems can arise when users hits the get_pdf action?
   If there are problems, how can it be solved?

class PdfController < ApplicationController
  def get_pdf
    send_data Pdf.create(params[:contents])
  end
end

class Pdf
  def self.create(contents)
    make_pdf(contents) # takes 30 seconds to run
  end
end

Thanks Neethu Satheesh, no need to answer the above question I have
solved that problem.