Ben Knight wrote: > What's the most recommended technique for guarding Rails HTTP params? > > For example, something like this can obviously be dangerous (e.g. SQL > injection) > user_account = UserAccount.find(:first, :conditions => ["username = > ?", params[:id]) > > I am about to write a home-grown validation routine to check for string > lengths, data types (e.g. numeric versus string, depending on what I'm > expecting), etc. but I wasn't sure if there are existing > plugins/libraries out there. > > I was considering writing something like this: > id = validate_params(params[:id], "string", 10) # 10 being > max_length
ActiveRecord has may validations callbacks such as validate_presence_of, etc. It's preferrable to validate data in the models instead of controllers. Regards, rp8 ======================= http://lun.competo.com/ -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
