2. Thou shalt not call server in vain
John: "Hey, go to Tel Aviv and give them this letter".
Mike: "OK, on my way"
...
Mike: "I'm back".
John: "Great, can you go back and check if something
has changed?"
John: "Couldn't you asked me before?!?"
4. Thou shalt not call DB in vain
Mike: "Take this letter to the post Boss."
John: "Ok"
John: " I'm back"
Mike: "Now take this one."
John: "Ok"
John: " I'm back"
Mike: " And now this"
John: "Ok"
John: " I'm back"
Mike: " And this..."
John: "AHHHAAAHHHA!!!!"
5. In code:
students = []
classes = Class.where(city: "Tel-aviv")
classes.each |class| do
students << Student.where(class_id: class.id)
end
Should be:
students = []
class_ids = Class.where(city: "Tel-aviv").pluck(:id)
students = Student.where(class_id: class_ids)
6. Thou shalt not fetch unnecessary
data
John: "Go to Tel Aviv and bring here all the new cars"
Mike: " I'm on my way..."
Mike: " I'm back!"
John: "Cool, now write down all their plates and put
it on my table"
8. Thou shalt protect your DB
Guest: “Hey, can I use your toilet?”
Mike: ”sure”
...
Mike: ”Hey, what are you doing inside my room?!?”
9. In code, we call it SQL injection
def station_info(station_id)
Station.where(“station_id = #{station_id}”)
End
What will happen if an attacker will use:
station_id = “532 and 1 = 1”
Should be:
def station_info(station_id)
Station.where(“station_id = ?”, station_id)
End
10. Thou shalt protect your clients
Boss: ”Take this package to our John, It something
from Mike.”
Secretary: ” John complained that this package had
detecting device in it”
Boss: ”OMG!!!”
11. In Code, we call it XSS attack. When one user can
plant a malisious code into another user.
def update_address(user, address)
user.address = address;
user.save
end
What will happen if:
address = "<script>alert("xss attack!!)</script>"
Should be:
def update_address(user, address)
escaped_address = escaped(address)
user.address = escaped_address;
user.save
end
12. Thou shalt never trust the client
Boss: “ Who is this man inside the lab?”
Secretary: ” He is a technician, he said he is allowed
to be there?”
Boss: ”Did you checked his ID?”
Secretary: ”NO…”
13. In code:
def update_user(user, params)
user.params = params
user.save
end
Should be:
def update_user(user, params)
raise “unauthorized” unless current_user.is_admin
user.params = params
user.save
end
14. Thou shalt think about debugging
the production
Boss: ”Where is my document?”
Secretary: ”I sent it to mike”
Boss: ” to which address? He says he didn’t get it”
Secretary: ”I don’t know, I didn’t write it”.
Boss: ” I’m gonna kill you…”
15. In code:
def update_station(station, params)
Station.params = params
end
You should log important operations and errors.
Should be:
def update_station(station, params)
Logger.info(“user #{current_user.id} updated station #{station.i
Station.params = params
rescue e
Logger.error(“user #{current_user.id} couldn’t update st
Logger.error(e)
end
17. Thou shalt think always expect the
worst
John: ”I think it’s going to rain, did you bring your
umbrella?”
Mike: ”No, on my computer it never rained”
John: ”OK…”
18. In code
this.ajax.getUsers().then((res) => {
this.users = res;
})
this.ajax.getUsers().then((res) => {
this.users = res;
}, err => {
toast(“Could not get users, please try again later”);
})
19. And on as a Bonus:
Thou shalt remember there are a
lot of different screens out there
Mike: ”Can you tell me what’s the score?”
John: “No, I can't see it well on my computer”
Mike: “Then use mine”
John: ”Oh, now I can read it…”