As we all know you cannot trust anything you receive from the internet.
I am wondering what the correct RoR way is to solve this. For the model
there are various validates_* methods that you can use to ensure some
integrity of that part. That is good by itself. Though it would be nice
if setting these would also result in enforcement in the database
backend
itself when supported. Here I am as much thinking of the relations as
has_many to ensure foreign keys are valid.
But separate from this I think any received data should be validated
before being touched at all. It may be used in many other ways.
I can see data in params is marked as tainted. I am thinking one way is
to
validate data and untaint it and the run with an increased $SAFE level.
But I would really like to ensure that I don’t forget validating any
parameters even if only used for “safe” operations. Is there any better
way that putting validated parameters in a separate hash? Maybe deleting
all tainted parameters?
I am thinking this should be done for the controller as for the model by
specifying something like
validates_numericality_of :id, :except => [ :list ]
in the beginning of the controller.
And then in the controller I don’t need to worry about if :id is
pressent
or has the correct format.
The remaining question is then what should be done if a parameter
doesn’t
validate.
Or is there already a RoR way of doing this that I just haven’t
realised?