protect_from_forgery -> ensures that posts are only acted on if from your application
session hash is now stored as a cookie on the client side
typical to put in a user_id
before_filter s : anything is true unless false and will stop processing if it gets false,
so explicitly return true
attr_accessible and attr_protected
in model
attr_protected :admin, :hashed_password
black list of stuff which can't be changed
attr_accessible :price, :size
white list of stuff which can be changed
however, if not in attr_accessible and this is declared, can't be updated
needs maintenance by hand, but pretty cheap
untrusted_input
item = Item.find(:first, :conditions => ["material = ?", untrusted_input])
Don't know how the database does boolean
User.find(:first, :conditions => ["admin = ?", true])
for doing in
User.find(:first, :conditions => ["email in (?)", ["a@c", "b@d]])
User.find(:first, :conditions => ["created_at < ?", Time.now])
method h
<%=h item.name %>
when there is the chance that it could be html which could get injected, which then escapes the html and so doesn't drag in a <script> or <img>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment