Is bad practice a constant parameter presented through the browser?

Question

Is bad practice a constant parameter presented through the browser?

I have a single table inheritance setting where I have one controller (I felt that multiple instances were duplicating). However, for some methods I would like to subclass models. I decided that I have a browser that will send a parameter with which I would write a case argument. Sort of:

case @model[:type] when "A" @results = Subclass1.search(params[:term]) when "B" @results = Subclass2.search(params[:term]) ... end

Alternatively, although I learned that Ruby, in all of this, cheating can create a model from a string. Sort of:

 @results = params[:model].constantize.search(params[:term])

My question is: is this a bad practice? I can imagine that someone sneaky can create a request that forces me to form an arbitrary internal object. But I could confirm that the object is a subclass of what I want.

+6

ruby ruby-on-rails

Kevin davis Apr 9 '11 at 19:59

source share

3 answers

If you have a white list of objects that you check before you do this, then you should be fine. You always want to make sure that you are santising and checking input from external sources very quickly to protect yourself.

+1

ctcherry Apr 9 '11 at 20:06

source share

This snippet uses Ick maybe for simplicity, but write it the way you like, you just need to use the hash:

 @results = {"A" => Subclass1, "B" => Subclass2}[params[:model]].maybe.search(params[:term])

+1

tokland Apr 9 '11 at 21:37

source share

Jostein · Accepted Answer · 2011-04-09T20:12:53+0000

At the same time, I like to reorganize it using case , to be extremely clear regarding the allowed inputs:

 @results = case params[:model] when 'page' then Page when 'post' then Post else raise 'finger' end.search(params[:term])

Is bad practice a constant parameter presented through the browser?

More articles: