Re: [Rails] attrs_accessible.

Ruby on Rails Sunday, February 27, 2011

On 27 February 2011 04:05, radhames brito <rbritom@gmail.com> wrote:
> it can be done like this
> http://railscasts.com/episodes/237-dynamic-attr-accessible

I'm viewing http://asciicasts.com/episodes/26-hackers-love-mass-assignment.
It says that an hacker can do curl -d
"user[name]=hacker&user[admin]=1" http://localhost:3000/Users/ and
create an admin user.
Ok, wtih attr_accessible he can't do that but..........if he can't
create an admin user he always can create a user, not an admin user
but a user.
That is he can insert values in my database.
I can't use attr_accessible for all my model attributes.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.

Posted by Ruby on Rails at 3:24 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)