|
|
|
|
|
|
by marshray
5213 days ago
|
|
|
I was going to say the same thing. The Security guide does describe the issue, and even describes attr_accessible as a "Countermeasure".
http://guides.rubyonrails.org/security.html#mass-assignment Without any precautions Model.new(params[:model]) allows attackers to set any database column’s value. Unbelieveable! PHP showed long ago that allowing a web request to auto-populate arbitrary members in app objects is just a spectacularly bad idea. Even the canonical "Hello Rails" example code neglects to specify attr_accessible.
http://guides.rubyonrails.org/getting_started.html#hello-rai... The general attitude of Rails developers towards security here is really shocking. I don't think I could recommend anyone use Rails. |
|
|
Being able to change the :id or timestamps of the post isn't anywhere near the SQL injection vulnerabilities I've seen in many tutorials in other languages/frameworks.
I agree, though, I wouldn't recommend Rails to people who can't bother to read documentation.