Rails - Jul 2005 - item = collection.build/ attributes =params/ item.save. Protection against collection_id being set in params?

Is this:
    item = @user.todos.build
    item.attributes = @params["new_item"]
    item.save

going to stop attacker from inserting some user_id into @params[]?

Or will this have to be explicit checked before saving?

-- 
Nicholas Lee
http://stateless.geek.nz
gpg 8072 4F86 EDCD 4FC1 18EF  5BDD 07B0 9597 6D58 D70C

Nicholas Lee wrote:
>Is this:
>    item = @user.todos.build
>    item.attributes = @params["new_item"]
>    item.save
>
>going to stop attacker from inserting some user_id into @params[]?
>
>Or will this have to be explicit checked before saving?
>
>  
>
Note that you can use attr_protected and attr_accessible to protect 
against this kind of thing.

There''s a book on the rails site outlining this, and other security
issues:
http://manuals.rubyonrails.com/read/book/8

And about this in particular:
http://manuals.rubyonrails.com/read/chapter/47

hth

-- 
R.Livsey
http://livsey.org

On 7/18/05, Richard Livsey
<richard-gfRugNUWsoQdnm+yROfE0A@public.gmane.org>
wrote:
> Note that you can use attr_protected and attr_accessible to protect
> against this kind of thing.
Forgot about those.  This is definite the thing to prevent
''mass''
assignment against fields that need to be protected.

Thanks.
-- 
Nicholas Lee
http://stateless.geek.nz
gpg 8072 4F86 EDCD 4FC1 18EF  5BDD 07B0 9597 6D58 D70C

On 7/18/05, Richard Livsey
<richard-gfRugNUWsoQdnm+yROfE0A@public.gmane.org>
wrote:
> Note that you can use attr_protected and attr_accessible to protect
> against this kind of thing.
Another thing, are we going to have to consider the same mechanism for
''id''?
@user = User.new(@params[''user''])
 
ie. if an attacked embeds an ''id'' in the @params will this be
ignored
naturally the create mechanism or does attr_protected :id need to be
explicitly added?


-- 
Nicholas Lee
http://stateless.geek.nz
gpg 8072 4F86 EDCD 4FC1 18EF  5BDD 07B0 9597 6D58 D70C