Greg Hauptmann
2006-Sep-09 21:04 UTC
security question re auto-generated model population(params)
Hi,
I currently have my models being auto-populated via an approach like
(from the contact controller "update" action:
@contact = Contact.find(params[:id])
if @contact.update_attributes(params[:contact])
So my understnading here is rails automatically takes all the parameters
(from the form submission) and matches them to model attributes.
Is this a security issue?
Could someone in fact (rails savy) know for example the magic fields
that rails uses and then construct HTTP requests to override things.
For example in a form if you weren''t really focused on capturing all
the
parameters you really had in your model (for whatever reason), however
you were using the "find(params[:id])" approach, a hacker could
potentially inject another parameter which could get through?
I guess I like the simple approach which saves time, but am interested
to know if I need to do something special to make sure it can''t be
taken
advantage of.
Tks
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---