I have the following piece of ruby code:
authenticate_this(request.env["SOME_ID"])
What I want to know is how do I place this "SOME_ID" within the HTTP GET request.
From what I understand, these rails request parameters are preset? If so what is the "SOME_ID"?
Thanks
Rails request parameters are available in the params hash. Put this next line in your ERB
= debug params
This line will tell you all about the params hash. Key values include
params[:id]
params[:object_id] # In a route like users/1/listings/1, this would be params[:user_id]
params[:form_contents] # the contents of a form are available in params
Related
I have a form in RoR with a controller action that looks up a record via the get parameter.
def respond
if request.post?
# Submit logic here...
# cannot lookup this way to fill the form out again
# #current_message = Saved_message.find_by_id(params[:msg_id])
elsif request.get?
#current_message = Saved_message.find_by_id(params[:msg_id])
end
end
I can't use the params[:msg_id] to lookup the message again because it's a post request and I don't resend the get parameters. However, the get parameters remain in the url such as .../messages/respond?msg_id=2. I can get around this by passing in a hidden field with a different parameter name like <%= form.hidden_field :msg_id_2, value: params[:msg_id] %>. Then I can lookup the #current_message via the params[:msg_id_2]. However, I don't like this solution. Any advice to access the now inaccessible get parameter?
you should use RESTful routes so that you do not have to care about such issues.
since you are not posting much about the actual code or problem you are trying to solve, i can just assume what might be the issue here and how to solve it.
I have been trying to figure out how the params method works and I'm a bit stuck on the process.
For example, if a user clicks on a certain blog post in the index page, I guess that the link_to method calls the Post controller and the show action along with its block #post = Post.find(params[:id]) and then goes to the database to find the post and the view displays it.
So my missing link seems to be when is the post id passed into the params method?
Because the others already explained about params, I'm just going to answer directly a question of yours:
when is the post id passed into the params method
I think it's best explained with an example; see below:
say that you clicked a link:
/posts/1/?param1=somevalue1¶m2=somevalue2
The Rails server receives this request that a client wants to view this GET /posts/1/?param1=somevalue1¶m2=somevalue2 address.
To determine how the Rails server will respond, the server will first go to your routes.rb and find the matching controller-action that will handle this request:
# let's say your routes.rb contain this line
# resources :posts
# resources :posts above actually contains MANY routes. One of them is below
# For sake of example, I commented above code, and I only want you to focus on this route:
get '/posts/:id', to: 'posts#show'
From above notice that there is this :id, Rails will automatically set params[:id] to the value of this :id. This is the answer to your question where params[:id] comes from.
It doesn't have to be :id; you can name it whatever you want. You can even have multiple URL params like so (just an example):
get /users/:user_id/posts/:id which will automatically set the value on params[:user_id] and params[:id] respectively.
In addition to this URL params like :id, Rails also injects values to params[:controller] and params[:action] automatically from the routes. Say from the example above, get '/posts/:id', to: 'posts#show', this will set params[:controller] to 'posts', and params[:action] to 'show'.
params values also comes from other sources like the "Query string" as described by Mayur, and also comes from the body of the request, like when you submit a form (the form values are set within the body part of the request) and like when you have JSON requests, which all of these are automatically parsed by Rails for your convenience, so you could just simply access params and get the values as you need them.
Params are hashes in ruby with Indifferent access which means,
hsh = {"a" => 1, "b" => 2}
Consider this hsh as params returned from a POST request from browser, it's a key value pair with keys as string. Since it's a params so the values can be accessed as
hsh["a"]
=> 1
hsh [:a]
=> 1
params are formed on the client where the interface load, consider a form which has a submit button. When you press submit, the data filled in form or any hidden textboxes are formed into a hash and passed across the request. This when received on server end will be called as params or request params.
For Get requests: data send across the url will be read as params on backend.
GET: http://www.abx.com?user=admin
params on backend: {"user" => "admin"}
This will be displayed in rails server logs
For Put request: data send across the body will be called params.
PUT: http://www.abx.com
data: {"user" => "admin"} Client side
params on backend: {"user" => "admin"}
This will be displayed in rails server logs
How does the params method work?
The params come from the user's browser when they request the page. For an HTTP GET request, which is the most common, the params are encoded in the URL. For example, if a user's browser requested
http://www.example.com/?post=1&comment=demo
then params[:post] would be "1" and params[:comment] would be "demo".
In HTTP/HTML, the params are really just a series of key-value pairs where the key and the value are strings, but Ruby on Rails has a special syntax for making the params be a hash with hashes or array or strings inside.
It might look like this:
{"post"=>"1", "comment"=>"demo"}
Link to Rails Guides on params: guides
I'm using Rails 5 and this link
<%= link_to 'Pdf', payments_path(params.merge(format: :pdf)), :target => "_blank" %>
causes:
Attempting to generate a URL from non-sanitized request parameters! An
attacker can inject malicious data into the generated URL, such as
changing the host. Whitelist and sanitize passed parameters to be
secure.
I have seen few questions on this issue already and how is the .merge that causes this.
For a while I just used params.permit! to avoid to face the problem but obviously that's not a solution.
So I understand I have to whitelist necessary params.
Isn't enough to create the usual:
def whatever_params
params.require(:whatever).permit(.....)
end
and whitelist all necesssary params?
I'm new to rails and so far I whitelisted params for forms, so regarding POST parameteres. In that case I just include params used in form fields. But I understand this is regarding params on url, so query string parameters. So is this regarding params passed to url from ransack or will_paginate (gems I'm using)? This confuses me..
How do I exactly check which params need to be whitelisted to avoid to receive that error?
1.Yes. It's enough to create simple method like whatever_params and use params.require(:whatever).permit(..) or params.permit(...)
2.Move all params that you use to whitelist. For example, you have GET request with tons of params but use only some of them and they are optional:
def my_params
params.permit(:category, :name, :age) #params that you use
end
i want to pass a query to url like
http:/localhost:3000/saldo/;1010917745800000015?1
in my routes i have:
get 'saldo/:nomor' => 'kartus#show_saldo' , as: :show_saldo
and controller:
def show_saldo
#kartu = Kartu.find_by_nomor(params[:nomor])
end
but instead i get this params
Parameters {"1"=> nil,"nomor"=>";1010917745800000015"}
how can i get my param as {"nomor"=>";1010917745800000015?1"}
<%= link_to 'xyz' show_saldo_path(:nomor => 'nomor', :def => 'def'......) %>
In get everything you passed other than url parameter will become your query parameter. def will become your url parameter. More information here.
? is a special character in urls. If you want to include it in the value of a parameter then you should Uri Encode, eg with CGI.escape(), the parameter before submitting it: this will convert "?" to "%3F", and will similarly convert any other special characters (spaces, brackets etc). So, the parameter that is actually submitted will become "%3B1010917745800000015%3F1".
At the server side, rails will call CGI.unescape on the params, so it should show up in your controller as ";1010917745800000015?1" again.
This should happen automatically with form inputs - ie, if someone writes ;1010917745800000015?1 into a text field then it should actually be sent through as "%3B1010917745800000015%3F1"
If you want people to diagnose why this isn't happening then you should include the html (of the form or link which is submitting this value) to your question.
I am trying to get to grips with the params hash in RoR. I'm not sure if I'm missing something, but my understanding so far is that the params hash is a hash containing either form entered data or query string data related to a POST request. Where params[:item] creates a symbol where the relevant POST data/query is stored. Again not sure if I'm correct on this, any enlightenment would be much appreciated. Thanks
The params hash is described in detail in the Action Controller Overview. TL;DR: the params hash holds all GET or POST parameters passed to the controller, as well as the :controller and :action keys.