Menu
In the new Programming Phoenix book, Chris McCord says this about using string and atom keys for controller action params:
In the world action in our controllers, the external parameters have string keys, "name" => name, while internally we use name: name. That’s a convention followed throughout Phoenix. External data is unsafe, so we explicitly match on the string keys, and then our application boundaries like controllers and channels will convert them into atoms keys which we will rely on everywhere else inside Phoenix.
But, it's not clear to me why using string keys are more secure than atom keys. Why are string keys a safer solution here?
393
By default, the maximum number of atoms in the Erlang VM is 1048576. So by converting external values into atoms you are filling up the global atom table, which is not garbage collected. Thus, you become vulnerable to a denial of service attack.
Source
Relevant SO answer
149
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
