On Jun 15, 8:59 am, Jeremy Evans <[EMAIL PROTECTED]> wrote: > ARAI Shunichi wrote: > > Hi all, > > > I think that if a method like below are added to Sequel::Model, it will help > > Web application developers from carelessly making a security hole. > > > It can be used as, > > > update_select([:name, :password], http_params) > > > It prevents an attack which injects HTTP parameters not shown in an HTML > > form (such as administrator_flag, etc...) > > > People should never write a code like below. > > > update_with_params(http_params) > > > -- > > def update_select(selection, hash) > > data = {} > > selection.each { |k| data[k] = hash[k] || hash[k.to_sym] } > > update_with_params(data) > > end > > It's funny you mention this, because I was planning to add something > similar to this functionality today. I'll post here with the commit > after I've added it. > > Jeremy
Here it is: http://github.com/jeremyevans/sequel/commit/7f36a64e603e7e678a05e357ad1b2f4f2acbbf86 The system created is pretty flexible. You can set default columns to allow (Model.allowed_columns) or restrict (Model.restricted_columns). The primary key field is now restricted by default, you can choose to unrestrict it with Model.unrestrict_primary_key. You can go around the allowed/restricted columns using Model#set_all and Model#update_all. You can choose your own group of columns to allow on a per call basis with set_only/update_only/set_except/ update_except. Jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to sequel-talk@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en -~----------~----~----~----~------~----~------~--~---