On 20 Dec 2008, at 18:31, Ben Knight wrote:
> > What's the most recommended technique for guarding Rails HTTP params? > > For example, something like this can obviously be dangerous (e.g. SQL > injection) > user_account = UserAccount.find(:first, :conditions => ["username = > ?", params[:id]) > If you read the docs, you would know that this sanitizes parameters precisely to guard against such injection :-) Fred > I am about to write a home-grown validation routine to check for > string > lengths, data types (e.g. numeric versus string, depending on what I'm > expecting), etc. but I wasn't sure if there are existing > plugins/libraries out there. > > I was considering writing something like this: > id = validate_params(params[:id], "string", 10) # 10 being > max_length > -- > Posted via http://www.ruby-forum.com/. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
