As we all know you cannot trust anything you receive from the internet. I am wondering what the correct RoR way is to solve this. For the model there are various validates_* methods that you can use to ensure some integrity of that part. That is good by itself. Though it would be nice if setting these would also result in enforcement in the database backend itself when supported. Here I am as much thinking of the relations as has_many to ensure foreign keys are valid. But separate from this I think any received data should be validated before being touched at all. It may be used in many other ways. I can see data in params is marked as tainted. I am thinking one way is to validate data and untaint it and the run with an increased $SAFE level. But I would really like to ensure that I don't forget validating any parameters even if only used for "safe" operations. Is there any better way that putting validated parameters in a separate hash? Maybe deleting all tainted parameters? I am thinking this should be done for the controller as for the model by specifying something like validates_numericality_of :id, :except => [ :list ] in the beginning of the controller. And then in the controller I don't need to worry about if :id is pressent or has the correct format. The remaining question is then what should be done if a parameter doesn't validate. Or is there already a RoR way of doing this that I just haven't realised?
on 2006-04-26 11:28