Hi, Is is necessary to validate incoming text from a form field if we use h(...) to display it in our view? Are there any security issues in storing that information in the database as long as I make sure I''m using h(...) to display it. Thanks, Sam. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
snhorne-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2006-Oct-01 13:45 UTC
Re: validating text in Rails.
Hi Sam - h() is there to protect you from cross-site scripting attacks. SQL injection attacks are a different beast. Luckily, ActiveRecord will take care of those for you, as long as you use it correctly. This boils down to never manually inserting user-entered content into an sql query. For more detail: http://manuals.rubyonrails.com/read/book/8 Cheers, Starr -- www.thebootstrapnation.com - Where business and code collide. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---