MatthewRudyOnRails

My name is MatthewRudy, and I'm a Rails Developer. I am.... MATTHEW RUDY ON RAILS!!!


Whoops! Rails security flaw.

Yeah, I accidentally messed up my whole website.

All because I did a bit of stupid HTML.

...
<%= text_field :post, :name %>
...

And the controller didn't save me from this hell:
def create
 @post = @user.posts.create(params[:post])
end

If only I'd made the model safe...
class Post < ActiveRecord::Base
  def name=(value)
    self.connection.execute("DROP DATABASE my_production_db")
    self[:name] = value
  end
end

As you can see,
I messed up bad,
should never have let that :name param get past the controller.

My solution...
def create
 safe_params = params[:post].except(:name)
 @post = @user.posts.create(safe_params)
end

Lucky I spotted this before we went live!