Cleansing form value Hash's

oksteev · 2005-12-02 10:54:00 UTC

So I’m looking for a nice simple way of doing this.

When I have form field names in the format of record[attr1]
record[attr2] etc so
that I can just call .update_attributes(params[:record]) I run into the
problem
of a malicious user being able to submit an extra form value with the
name of a
foreign_key column.

Is there a simple way I can clean a hash of all association ids? I’d be
fine
with writing my own method I’m just not sure of a way to get a list of
association id’s for any given AR object.

Any help is appreciated.

steve

oksteev · 2005-12-03 14:25:47 UTC

steve dp wrote:

So I’m looking for a nice simple way of doing this.

When I have form field names in the format of record[attr1] record[attr2] etc so
that I can just call .update_attributes(params[:record]) I run into the problem
of a malicious user being able to submit an extra form value with the name of a
foreign_key column.

Is there a simple way I can clean a hash of all association ids? I’d be fine
with writing my own method I’m just not sure of a way to get a list of
association id’s for any given AR object.

Is attr_protected what you want?
http://api.rubyonrails.com/classes/ActiveRecord/Base.html#M000704

–
We develop, watch us RoR, in numbers too big to ignore.