While doing @foo = Bar.new(params[:foo]) in a controller, the application is open to injection attacks. For example, My model has following attributes : name password admin - boolean Now, if on my form I''m just acception name & password, and doing @foo = Bar.new(params[:foo]) in my controller, someone can just enter following in form : <%= text_field ''foo'', ''admin'' %> and set to it to true, and post it to my controller. Right now, for such attributes, I''m doing the following : @foo = Bar.new(params[:foo]) @foo.admin = false But I''m sure there are better conventions to overcome this problem. Please let me know how do you handle this problem ? Regards, Pratik -- rm -rf / 2>/dev/null - http://null.in
attr_protected http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M000873 -Jonathan. On 6/30/06, Pratik <pratiknaik@gmail.com> wrote:> While doing @foo = Bar.new(params[:foo]) in a controller, the > application is open to injection attacks. > > For example, > My model has following attributes : > name > password > admin - boolean > > Now, if on my form I''m just acception name & password, and doing @foo > = Bar.new(params[:foo]) in my controller, someone can just enter > following in form : > > <%= text_field ''foo'', ''admin'' %> and set to it to true, and post it to > my controller. > > Right now, for such attributes, I''m doing the following : > @foo = Bar.new(params[:foo]) > @foo.admin = false > > But I''m sure there are better conventions to overcome this problem. > Please let me know how do you handle this problem ? > > Regards, > Pratik > -- > rm -rf / 2>/dev/null - http://null.in > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
Awesome. Thanks a lot. -Pratik On 6/30/06, Jonathan Viney <jonathan.viney@gmail.com> wrote:> attr_protected > > http://api.rubyonrails.org/classes/ActiveRecord/Base.html#M000873 > > -Jonathan. > > On 6/30/06, Pratik <pratiknaik@gmail.com> wrote: > > While doing @foo = Bar.new(params[:foo]) in a controller, the > > application is open to injection attacks. > > > > For example, > > My model has following attributes : > > name > > password > > admin - boolean > > > > Now, if on my form I''m just acception name & password, and doing @foo > > = Bar.new(params[:foo]) in my controller, someone can just enter > > following in form : > > > > <%= text_field ''foo'', ''admin'' %> and set to it to true, and post it to > > my controller. > > > > Right now, for such attributes, I''m doing the following : > > @foo = Bar.new(params[:foo]) > > @foo.admin = false > > > > But I''m sure there are better conventions to overcome this problem. > > Please let me know how do you handle this problem ? > > > > Regards, > > Pratik > > -- > > rm -rf / 2>/dev/null - http://null.in > > _______________________________________________ > > Rails mailing list > > Rails@lists.rubyonrails.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- rm -rf / 2>/dev/null - http://null.in
> While doing @foo = Bar.new(params[:foo]) in a controller, the > application is open to injection attacks.I wouldn''t say this ''injection'' in the traditional sense of the term. This is more about application design. As the admin switch is really important, protect it in the model: attr_protected :admin Then provide methods to grant and revoke admin status: def grant_admin admin = 1 end def revoke_admin admin = 0 end Hope that helps, Steve -- Posted via http://www.ruby-forum.com/.