rails控制器中的params验证

Question

Is there a best practice to validate params in a controller?

@user = User.find_by_id(params[:id]) 

If I tamper with the param to give it an invalid :id param, say by visiting "/users/test", I can generate the following error:

Conversion failed when converting the nvarchar value 'test' to data type int.

I am thinking right now of params that won't go straight to a model and can be validated by model validations.

Answer 1

Yes you should always validate your parameters. People can always mess around with the parameters in their web browser's address bar, or modify parameters stored in the DOM. Another example where parameters can be screwed up is if the webpage is left open a long time. Imagine someone is viewing the page "/users/3/edit" and leaves it open for an hour, then hits refresh. In the mean time that user may have been deleted. You don't want your website to crash - it should handle that gracefully.

Depending on your database and adapter, doing User.find_by_id("test") will not crash. But your database/adapter was not able to convert the string in to an integer. One thing you can do in this particular case is use Ruby's .to_i method.

User.find_by_id(params[:id].to_i)

If params[:id] = "12" , Ruby will convert that to the integer 12 and the code will run fine. If params[:id] = "test" , Ruby will convert that to the integer 0 , and you should never have a database record with an ID of 0.

You can also use regular expressions to test if a string is an integer .

But in general, yes, try to always validate your parameters so you can handle errors gracefully and control the data coming in.