Hacker News new | comments | show | ask | jobs | submit login

If you've recently started a new Rails project (or are thinking about it), you should use strong_parameters right off the bat!

I'm not 100% positive, but I don't think strong_parameters would do anything to protect you here.

It would not have helped with this vulnerability, no. But it is a better way of handling filtering appropriate parameters.

Why is strong_parameters not the only way? Rails is pretty opinionated in many other respects...

The downside of 'don't break APIs for minor version changes' means that you can't break APIs until the major version changes. ;)

It was opinionated to use attr_accessible until a better approach came along. Beginning in 4.0 it will be opinionated to use strong_parameters, but they can't just take attr_accessible away because a lot of people are upgrading apps.

It will be the default in rails 4... so soon : )

Agreed! That is what I teach when I do training.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact