Imagine everytime you threw something away you were frozen in place, unable to move unless you pushed a big red button confirming that you actually wanted to throw your soda can away.
We don’t want to see an unsightly javascript alert box every time we make “important” decisions.
Having your work flow interrupted by a popup dialogue that requires some action, is annoying. My friends at A list apart share my sentiments.
Confused?
Now we take away those annoying alert boxes and “Oh no!”, someone deleted an important email because our popup didn’t warn them.
Solution? Implement an undo feature.
You can store a link to the undo action in the flash.
def destroy
@message = Message.find(params[:id])@message.delete!
flash.now[:notice] = "Client has been deleted <a href='#{undo_delete_client_path(@client)}'>Undo</a>"end
Then implement an undo action that sets the deleted field false.
jQuery is my javascript library of choice. At Platform45 we use it in place of the prototype libraries included with Rails. jQuery makes it a pleasure working with the ugly javascript monster. The documentation is superb with plenty of examples.
Degrade gracefully
Our web apps are built to work with and without javascript to accommodate for mobile devices that may not yet have javascript functionality.
User Experience
When building a web application. Build it first with no javascript. This allows you to focus on what needs to be done instead of fancy features. After it is working as it should, add the javascript to improve the user experience.
jQuery
Rails currently uses in line javascript. I prefer to keep all the javascript separate from the core code. jQuery allows me to hook into Dom elements and perform various actions unobtrusively.
(sure you could do this with Prototype but jQuery is far cooler)
Climbing around Cape Town this weekend I spotted a Digger overlooking the stadium being built in Green Point. Overwhelmed with joy I jumped in and tried to work the thing.
Thankfully I didn’t get it started but I did noticed this dial.
How’s that for a helpful label. So simple for any education level.
An SQL injection is performed when a malicious user enters a string that is constructed to escape the intended SQL statement and by doing so, is able to manipulate the database.
Do not trust user input. When you collect user input from a form or previously saved data. You need to escape unsafe characters.
Take this example.
Message.find(:all, :conditions => ["id = 1 AND title = #{params[:query]}"])
The user enters his query into a form field as ”’ OR 1 —’” Because “OR 1” is always true the user will get a list of all messages in the database.
Solution?
We can escape the input with a placeholder:
Message.find(:all, :conditions => ["id = 1 AND title = ?", params[:query]")
<a href="http://thenexttrain.co.za/2008/08/ruby-on-rails-danger-sql-injections/#more-3"class="more-link">[click to continue...]</a>
