to with parameters secure?

2018-06-05 21:00:40

As a general rule of thumb you aren't supposed to trust any input of data from users. If you had a simple link_to with a parameter:

link_to "Click me", test_path(:my_param => "test")

The route might look like: example.com/test?my_param=test

How do I know if the param, or any injected data for that matter, is being filtered properly? The Rails 3 API doesn't specify that it filters data that is passed to the controller, but I want to make sure that the params[:my_param] is filtered securely in the controller before I utilize the params data.

Any thoughts?

Rails framework doesn't secure things by default for GET request. link_to tag is sending a http get request.

If it is a POST/PUT/DELETE request then the Rails uses protect_from_forgery for verify the data sending url

However in your case, its not hard to write a simple method to verify your data for get requests ,

you could write a before_filter to check the sending parameters for a GET request

HTH

链接地址: http://www.djcxy.com/p/18448.html

上一篇: Rails将资源创建嵌套在不同的页面上

下一篇: 以参数安全？