While doing @foo = Bar.new(params[:foo]) in a controller, the
application is open to injection attacks.
For example,
My model has following attributes :
name
password
admin - boolean
Now, if on my form I’m just acception name & password, and doing @foo
= Bar.new(params[:foo]) in my controller, someone can just enter
following in form :
<%= text_field ‘foo’, ‘admin’ %> and set to it to true, and post it to
my controller.
Right now, for such attributes, I’m doing the following :
@foo = Bar.new(params[:foo])
@foo.admin = false
But I’m sure there are better conventions to overcome this problem.
Please let me know how do you handle this problem ?
Regards,
Pratik