How can you safeguard a rails application from SQL injection attack?

Rails already has the logic built into it to prevent SQL injection attacks if you follow the right syntax. 

Say you are trying to authenticate a user based on their login and password you might be tempted to use a syntax as below:

User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'")

If an attacker enters ’ OR ‘1’=‘1 as the name, and ’ OR ’2’>’1 as the password, the resulting SQL query will be:

 SELECT * FROM users WHERE login = '' OR '1'='1' AND password = '' OR '2'>'1' LIMIT 1 

This will simply find the first record in the database, and grants access to this user.

To prevent this type of SQL injection simply use the following format.

  User.where("login = ? AND password = ?", entered_user_name, entered_password).first

OR

User.where(:login => entered_user_name, :password => entered_password).first

How can you achieve the same effect as multiple inheritance using Ruby? What is mixin?

Ruby offers a very neat alternative concept called mixin. Modules can be imported inside other class using mixin. They are then mixed-in with the class in which they are imported.

Here’s an example:

module Debug
  def whoAmI?
    "I am #{self.to_s}"
  end
end

class Photo
 include Debug
end

ph = Photo.new

"I am : #<Photo:0x007f8ea218b270>"

As you can see above the class Debug and it’s method “whoamI?” were mixed-in (added) with the class Photo.

That’s why you can now create an instance of the Photo class and call the whoAmI? method.

ph.whoAmI?
 => "I am : #<Phonograph:0x007f8ea218b270>" 

What is RESTful routing?

Routing is fun. If you have ever dealt with IIS you will fall in love with RESTful routing. Here’s how it works.

Say you want your users to have access to certain pages such as:

/photos/new

/photos/1/edit

/photos/1

And, you want the right controller to get called.

And, you want the right view to get rendered.

All this is made possible with a single entry in the routes.rb file as shown below:

resources :photos 

In Rails, a resourceful route provides a mapping between HTTP verbs and URLs to controller actions. By convention, each action also maps to particular CRUD operations in a database. The single entry in the routing file creates seven different routes in your application, all mapping to the Photos controller:

What is eager loading?

Eager loading is a great optimization strategy to reduce the number of queries that are made against the DB.

Say you are finding 10 employees and then you are looking for their post codes. Then your query would appear something like this:

clients = Client.limit(10)
clients.each do |client|
  puts client.address.postcode
end

This may seem fine at first look but really this implementation leaves much to be desired. It makes 11 DB calls just to get the results.

Now you can optimize this query by making a slight change in the request like this:

clients = Client.includes(:address).limit(10)
clients.each do |client|
  puts client.address.postcode
end 

This new request makes two SQL calls like this:

SELECT * FROM clients LIMIT 10
SELECT addresses.* FROM addresses
    WHERE (addresses.client_id IN (1,2,3,4,5,6,7,8,9,10))

So, as you can see it really loads a lot more upfront and therefore it is called eager loading.