Forum: Ruby on Rails Cleansing form value Hash's

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Cd4f9ba2512f984481b5b00279cee69a?d=identicon&s=25 oksteev (Guest)
on 2005-12-02 10:54
(Received via mailing list)
So I'm looking for a nice simple way of doing this.

When I have form field names in the format of record[attr1]
record[attr2] etc so
that I can just call .update_attributes(params[:record]) I run into the
problem
of a malicious user being able to submit an extra form value with the
name of a
foreign_key column.

Is there a simple way I can clean a hash of all association ids?  I'd be
fine
with writing my own method I'm just not sure of a way to get a list of
association id's for any given AR object.

Any help is appreciated.

- steve
C64e63b70be7dfed8b0742540b8b27e5?d=identicon&s=25 mrj (Guest)
on 2005-12-03 14:25
(Received via mailing list)
steve dp wrote:
> So I'm looking for a nice simple way of doing this.
>
> When I have form field names in the format of record[attr1] record[attr2] etc so
> that I can just call .update_attributes(params[:record]) I run into the problem
> of a malicious user being able to submit an extra form value with the name of a
> foreign_key column.
>
> Is there a simple way I can clean a hash of all association ids?  I'd be fine
> with writing my own method I'm just not sure of a way to get a list of
> association id's for any given AR object.

Is attr_protected what you want?
     http://api.rubyonrails.com/classes/ActiveRecord/Ba...

--
We develop, watch us RoR, in numbers too big to ignore.
This topic is locked and can not be replied to.