Home arrow Ruby-on-Rails arrow Protecting Your Rails Ecommerce Application

Protecting Your Rails Ecommerce Application

In this conclusion to a four-part series covering security for a Ruby on Rails ecommerce application, you'll learn how to protect the application against SQL injection, cross-site request forgery, and more. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 3
June 24, 2010
  1. · Protecting Your Rails Ecommerce Application
  2. · Protecting Your Application
  3. · URL and Form Manipulation
  4. · SQL Injection
  5. · Cross-Site Request Forgery

print this article

Protecting Your Rails Ecommerce Application
(Page 1 of 5 )

Creating the Form Templates

We need form templates for both the request and password resetting actions. Letís start by creatingapp/views/account/forgot_password.rhtmland adding the following code to it:

<p>Give your email address and we'll send you instructions on how to
create a new one.</p>
<%= form_tag %>
<label for="email">Email</label><br />
<%= text_field_tag "email" %><br />
<%= submit_tag "Submit" %>
<%= end_form_tag %>

The form is extremely simple, consisting of one text field for the e-mail address and a Submit button, as shown in Figure 8-4.

Figure 8-4.  Forgot password? form

Notice that since weíre posting the form back to the current action, we donít even need to specify an address forform_tag.

The reset form inapp/views/account/reset_password.rhtmlis almost as simple as the request form:

<%= error_messages_for :user %>
<%= form_tag %>
<p><label for="user_password">Password:</label><br />
<%= password_field :user, :password %></p> <p><label for="user_password_confirmation">Confirm password:</label><br />
<%= password_field :user, :password_confirmation %></p>
<p><%= submit_tag "Submit" %></p>
<%= end_form_tag %>

Here, we just show two password fields: one for the actual password and one for a confirmation. Since theUserclass has avalidates_confirmation_ofvalidation specified for thepasswordattribute, the password confirmation is automatically checked against the password. After that, it is stripped from the newUserobject before saving. If the two passwords donít match,@usercanít be saved, and the form is shown with an error notification by using theerror_messages_forcall, as shown in Figure 8-5.

Figure 8-5.  Error message when passwords do not match

We now have a working authentication system in our application. It could be easily extended to support open user registration, role-based authentication, reversible encrypted passwords, and ďremember meĒ functionality. For instructions on how to implement these functions, refer to the pluginís homepage athttp://technoweenie.stikipad.com/plugins/ show/Acts+as+Authenticated.

Note  In the implementation described in this chapter, the current password of a user is not reversible. When a user forgets her password, she must create a new one. The system will not mail her the old one.

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials