Ruby on Rails: How to pass parameters from view to controller with link_to without parameters showing up in URL

Question

I am currently using a link_to helper in View to pass parameters like title , author ,image_url and isbn back to controller

<%= link_to 'Sell this item',new_item_path(:title => title, :author => authors, :image_url=>image, :image_url_s=>image_s, :isbn=>isbn, :isbn13=>isbn13 ) %>

Controller will then assign the parameters to an object to be used by a form in View later(in new.html.erb)

def new
      @item = Item.new

      @item.title = params[:title]
      @item.author = params[:author]
      @item.image_url = params[:image_url]
      @item.image_url_s = params[:image_url_s]
      @item.isbn = params[:isbn]
      @item.isbn13 = params[:isbn13]

      respond_to do |format|
        format.html # new.html.erb
        format.xml  { render :xml => @item }
      end
end

new.html.erb will then be called. This is all working fine but the url shows all the parameters

http://localhost:3000/items/new?author=Michael+Harvey&image_url=http://ecx.images-amazon.com/images/I/51vt1uVjvLL._SL160_.jpg&image_url_s=http://ecx.images-amazon.com/images/I/51vt1uVjvLL._SL75_.jpg&isbn13=9780307272508&isbn=0307272508&title=The+Third+Rail

Is there any way I can make the parameters not show up on the URL?

Answer 1

Maybe you could encode the parameters and decode them in the controller to deter users who may want to modify the url? Might be overkill but...

>> author=ActiveSupport::Base64.encode64("author=jim")
=> "YXV0aG9yPWppbQ==\n"
>> ActiveSupport::Base64.decode64(author)
=> "author=jim"

Answer 2

A POST can be used to move the parameters out of the URL and into the request, but this is not the "correct" or best practice. HTTP standards are such that non-GET requests are meant to be used only for requests that change state on the server. This is why you get a warning when you refresh a page that was generated in response to a POST.

There is nothing wrong with having parameters in the URL. So much focus should not be made on what appears to the URL bar, let alone what's after the ?. If however you have some need (i.e. insistence of a client) to remove them, you have several options, two of which John mentions.

I'm assuming your "new" action is REST-style, in that it's generating a form that would have to be submitted to change state on the server. Therefore your options might be:

1. Use POST, even though it's not standard compliant. Not recommended.
2. Use AJAX GET. This requires javascript, and ajax handling does add requirements such as the use of a JS framework and testing.
3. Use GET (or POST), but capture the parameters and store them, the redirect the user back to another clean URL that displays those stored value. You could store those in the session hash, or create a database record of them. Actually you really should use POST in this case, since you are effectively changing state on the server by storing those parameters. In this case, if the user refreshes the page he is directed to, those parameters will be preserved. This effectively removes the browser warning on refresh, something I can certainly appreciate.