Shouldn’t attr_protected or attr_accessible be used instead?
Clients can create fake forms that add some extra fields, which might be saved in the database when you don’t want them to be.
See http://manuals.rubyonrails.com/read/chapter/47.
Here is some code that you can add to the Hash class to prevent this:
class Hash
def keep_keys(keyList)
self.each_key { |key| delete(key) unless keyList.member? key }
end
end
Put this in a file in the lib directory, and require that file in your environment.rb file.
Then, whenever your controller deals with incoming form data, list which field names you are expecting, like so:
params.keep_keys(['field1', 'field2', 'field3'])
To apply this to fields corresponding to object properties, do it like so:
params['user'].keep_keys(['name', 'email'])
Shouldn’t attr_protected or attr_accessible be used instead?
Clients can create fake forms that add some extra fields, which might be saved in the database when you don’t want them to be.
See http://manuals.rubyonrails.com/read/chapter/47.
Here is some code that you can add to the Hash class to prevent this:
class Hash
def keep_keys(keyList)
self.each_key { |key| delete(key) unless keyList.member? key }
end
end
Put this in a file in the lib directory, and require that file in your environment.rb file.
Then, whenever your controller deals with incoming form data, list which field names you are expecting, like so:
params.keep_keys(['field1', 'field2', 'field3'])
To apply this to fields corresponding to object properties, do it like so:
params['user'].keep_keys(['name', 'email'])