Hi Colin, > Remember that all your form does is to build an http request and send it to the server.
I didn't perceive that. Thanks for the enlightenment. > A hacker can build any http request he likes without using your form, and send it to your server, with any values in params that he fancies. But that can be ameliorated by adding a User class with login/logout methods with the former creating a User object. Then I can protect attempted use of other than a User User#login from doing so absent a User object. At least that's what I'm planning to implement next, guided by Agile Web Dev w/ Rails, et al. Sound reasonable? On Aug 9, 11:16 am, Colin Law <[email protected]> wrote: > On 9 August 2010 16:08, RichardOnRails > > <[email protected]> wrote: > > Hi Hassan, > > >> > It can't be nil. When the form is instantiated > > >> Assuredly, it can be -- a request can be generated without your form > >> being involved at all. > > > I don't get it. Can you point me to some tutorial that deals with > > this issue? > > Remember that all your form does is to build an http request and send > it to the server. A hacker can build any http request he likes > without using your form, and send it to your server, with any values > in params that he fancies. > > Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
