GET params in ruby-on-rails project - best practices?
- by Lynn C
I've inherited a little rails app and I need to extend it slightly. It's actually quite simple, but I want to make sure I'm doing it the right way...
If I visit myapp:3000/api/persons it gives me a full list of people in XML format. I want to pass param in the URL so that I can return users that match the login or the email e.g. yapp:3000/api/persons?login=jsmith would give me the person with the corresponding login. Here's the code:
def index
if params.size > 2 # We have 'action' & 'controller' by default
if params['login']
@person = [Person.find(:first, :conditions => { :login => params['login'] })]
elsif params['email']
@persons = [Person.find(:first, :conditions => { :email => params['email'] })]
end
else
@persons = Person.find(:all)
end
end
Two questions...
Is it safe? Does ActiveRecord protect me from SQL injection attacks (notice I'm trusting the params that are coming in)?
Is this the best way to do it, or is there some automagical rails feature I'm not familiar with?