On Tue, Aug 10, 2010 at 12:30 PM, RichardOnRails <[email protected]> wrote:
> I don't mean to be obstinate, Hassan. The problem is I don't see > what's wrong with what my code presently does: > > My perception is that my browser renders a form with a drop-down for > vendor selection. So what? That's totally missing the point. Your controller can receive a request that has *absolutely no relation* to the form you created. You could have a select for parameter "x" offering the choices 1, 2, or 3. It's utterly trivial for anyone, with any number of tools (cf. curl, wget) to send a request with x=4, or x=the%20horse%20you%20rode%20in%20on or x=''. You have *no way* to control that. You *do* have the ability to validate your inputs, and/or deal explicitly with exceptions if those inputs aren't what you want. But you can't make assumptions that you *know* what those inputs are going to be when they're coming from a remote client. -- Hassan Schroeder ------------------------ [email protected] twitter: @hassan -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
