Topic: fine tuning... minor questions like params checking and so on

What does Rails in production state,
1. when Model.new(params[:model]) f.e. raises an error?
2. or params[:id] is nil and i didnt checked it?

I'm currently cleaning my code.

I am also interested in the questions:
3. When is it really necessary to use a instance @variable?
4. Is it just safe to use hidden fields in forms when posting?
5. Do I have to check if the params are post or get params?
6. Are there any general security tipps? (f.e. my user passwd is hexed; and I am checking params and so on in nearly every method, that makes the code look very dirty)
7. Do you have any performance tipps on querys?
f.e.: whats better or whats faster:

#7.1.
fm = ForumMessage.find(params[:id])
f = Forum.find(fm.forum_id)
#or
#7.2.
fm = ForumMessage.find(params[:id])
f = fm.forum

Thank you so far!

Re: fine tuning... minor questions like params checking and so on

joern wrote:

1. when Model.new(params[:model]) f.e. raises an error?

Not sure why you mean by this.

joern wrote:

2. or params[:id] is nil and i didnt checked it?

If you do Model.find(params[:id]) and the id is nil it raises an ActiveRecord::RecordNotFound exception. You can catche this and return a 404 error page if you want.

joern wrote:

3. When is it really necessary to use a instance @variable?

When you need to share the variable with something outside of the current scope/method. If you are in a controller action and you need to share it with the view, use an instance variable. Same goes for when you are in a model and you need to share it with other methods in that model instance.

joern wrote:

4. Is it just safe to use hidden fields in forms when posting?

Well, hackers can still edit the hidden field values, but other than that it's fine.

joern wrote:

5. Do I have to check if the params are post or get params?

Nope, Rails lumps all these into the params hash.

joern wrote:

6. Are there any general security tipps? (f.e. my user passwd is hexed; and I am checking params and so on in nearly every method, that makes the code look very dirty)

I'm doing a series on security right now on Railscasts.

joern wrote:

7. Do you have any performance tipps on querys?
f.e.: whats better or whats faster:

#7.1.
fm = ForumMessage.find(params[:id])
f = Forum.find(fm.forum_id)
#or
#7.2.
fm = ForumMessage.find(params[:id])
f = fm.forum

Thank you so far!

They will both be the same. However, you can do what's called eager loading to fetch the forum while you fetch the message.

fm = ForumMessage.find(params[:id], :include => :forum)
f = fm.forum

This will usually be faster because it won't require a 2nd query to fetch the forum.

Railscasts - Free Ruby on Rails Screencasts

Re: fine tuning... minor questions like params checking and so on

thank you a lot again.
yo, question 1 was supposed to be about Model.find, not .new.

--

so hackers can edit the hidden fields, that let's the question about get and post stand clear....
I think I have to check the params always (in Forums f.e. if the hidden_field stuff is technical correct and so on)... and sorround find stuff with begin rescue ensure...

ok, that helps a lot on cleaning my code, I think it's important to keep everything transparent.

Re: fine tuning... minor questions like params checking and so on

joern wrote:

sorround find stuff with begin rescue ensure...

If you always need the same behavior, you can override rescue_action_in_public in your application controller:

# in application.rb
def rescue_action_in_public(exception)
  if exception.kind_of? ActiveRecord::RecordNotFound
    #....
  else
    super
  end
end

Railscasts - Free Ruby on Rails Screencasts