Menu
Does Rails automatically protect against vulnerabilities of doing something like:
Given a URL: http://a.com/?id=3131313131313
then in the rails controller
@comment = Comment.find(params[:id])
Does Rails auto protect that, or do I need to do some type of validation to protect the app from hackers?
Thanks
898
Let’s talk about Rails parameters! Why are they useful? Users can send data to your web application in three different ways. How do you access this data from Rails? With params. Inside your controller action’s you can call params to access form & URL query data. What is params, exactly?
Besides query parameters, you can also enable REST-style parameters. In Rails, we call this is a “dynamic segment”. Let’s see an example. Then you can access this 1, which is the id in books/:id. With params. This will help you find the specific resource the user is looking for.
Rails introduced the “strong parameters” system, back in Rails 4 as a security feature. It forces you to whitelist the attributes that can be saved. This prevents an issue known as “mass assignment”, which allows malicious users to set admin = true, or set other fields that normally they wouldn’t have access to.
All values inside params are strings. Even if they’ve been submitted as integers Let’s look a little deeper into Rails params because if you don’t understand them well they can be a source of confusion & strange problems! How do form fields & URL parameters map to params keys?
ActiveRecord find will always use .to_i to prevent all SQL injection magic.
Rails will also auto-escape stuff in queries like this:
Comment.where(["id = ?", params[:id]])
But not in
Comment.where("id = #{params[:id]}")
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
