kwerle-e+AXbWqSrlAAvxtiuMwx3w@public.gmane.org
2007-Mar-29 20:57 UTC
Date Integrity and Form Security
I''m new to rails, and am used to technology that takes care of the following issue for you: When using forms in rails, all your data paths lay exposed to the user. It''s easy for them to hack the HTML so that when they POST/GET, they set data for columns that you didn''t mean for them to update. attr_protected is a somewhat reasonable solution, but it means that you have to be careful about what you do and do not protect. Then you have to deal with the columns you decided to protect individually - repeatedly! Speaking of wet - ugh. If that were the only problem, I could probably live with it. But in addition to that, you''re also exposing id''s so that you can reference specific rows. A mischievous user could modify rows that they should not - unless I check every reference to make sure they''re not. Again, trouble that I don''t want to deal with. Has anyone modified or written an alternative to the form helpers that would take care of this for me? Seems like all it would take is a big hash of magic keys to swap in/out for the normal values. I imagine instead of <input ... name="model[attribute]" ... or even worse <input ... name="model_rownum_attribute" ... you would get <input ... name="my_magic_hash" ... Then when the rails app received the next request, the "my_magic_hash" would be replaced with the the regular string. I know I''m not the first person to want something like this - has anyone done a rails solution? TIA, Kurt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---