[RUBY] Summary of strong parameters
What is a strong parameter?
- ** Mechanism for safely receiving by specifying the value sent from the form **
Used to eliminate the
mass assignmentvulnerability
- ** What is Mass Assignment? ** A mechanism that allows you to specify multiple columns at once when saving / updating to the DB.
Mass Assignment Vulnerability
For example, when inputting data from a form, there is a possibility that the input value of unintended data will be accepted as it is by exchanging or rewriting the input field and the corresponding column using a developer tool or the like.
↓ Expansion
** * Data is saved in a column different from the column corresponding to the original form **
Benefits of strong parameters
When retrieving the information entered in the post form with params, it is possible to prevent saving invalid contents. If you set a column with a strong parameter, you can receive only the information of that column.
how to use
books_controller.rb
private
def book_params
params.require(:book).permit(:title, :body)
end #Model specification#Key specification
** permit method ** ** = Of the keys obtained by params, the method that allows saving to the database **
In the above case, even if params contains data of other columns, it is not saved in the database.
Specifically, the parameters sent when the form is submitted are basically sent with the following double hash structure, but in this case only the" book "part in it. Allows you to save.
terminal
Processing by BooksController#create as HTML
Parameters: {
"utf8"=>"✓",
"authenticity_token"=>"Token information is listed",
"book"=>{"title"=>"Botchan", "body"=>"A novel by Soseki Natsume"}, #params.require(:book).permit(:title, body)The part specified by
"commit"=>"Create Book"
}
private method
The " private "method described in the first line of the above code allows you to limit the methods and variables described below.
In the above case, since it is used in books_controller, the above-mentioned "book_params" method cannot be called by other controllers (example: users_controller).
Summary
By using strong parameters within the scope of private methods, it is possible to prevent the storage of illegal data and enhance security.
If you have any mistakes regarding the content, please let us know in the comments.
Recommended Posts