On Jun 15, 8:59 am, Jeremy Evans <[EMAIL PROTECTED]> wrote:
> ARAI Shunichi wrote:
> > Hi all,
>
> > I think that if a method like below are added to Sequel::Model, it will help
> > Web application developers from carelessly making a security hole.
>
> > It can be used as,
>
> > update_select([:name, :password], http_params)
>
> > It prevents an attack which injects HTTP parameters not shown in an HTML
> > form (such as administrator_flag, etc...)
>
> > People should never write a code like below.
>
> > update_with_params(http_params)
>
> > --
> > def update_select(selection, hash)
> > data = {}
> > selection.each { |k| data[k] = hash[k] || hash[k.to_sym] }
> > update_with_params(data)
> > end
>
> It's funny you mention this, because I was planning to add something
> similar to this functionality today. I'll post here with the commit
> after I've added it.
>
> Jeremy
Here it is:
http://github.com/jeremyevans/sequel/commit/7f36a64e603e7e678a05e357ad1b2f4f2acbbf86
The system created is pretty flexible. You can set default columns to
allow (Model.allowed_columns) or restrict (Model.restricted_columns).
The primary key field is now restricted by default, you can choose to
unrestrict it with Model.unrestrict_primary_key. You can go around
the allowed/restricted columns using Model#set_all and
Model#update_all. You can choose your own group of columns to allow
on a per call basis with set_only/update_only/set_except/
update_except.
Jeremy
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To post to this group, send email to sequel-talk@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sequel-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
