DEV Community

Tiberius Mairura
Tiberius Mairura

Posted on

Strong Parameters in Rails?

Ah, strong parameters in Rails

Image description

The magic charm that allows developers write spell-bound code. Just kidding, they're actually a pretty useful tool for protecting your application from malicious user input. But let's be real, they can still be a pain to deal with at times.

So, what are strong parameters exactly? Essentially, they're a way to specify which parameters are allowed to be passed through to your controller actions. This helps prevent attackers from injecting harmful data into your application.

Let's say we have a form that allows users to create a new post. We want to allow them to specify the title and body of the post, but we don't want them to be able to set the published attribute. Without strong parameters, anyone could just send a POST request with a published parameter set to true and voila, they've published a post without your permission.

Here's an example of how we can use strong parameters to only allow the title and body attributes to be passed through:



def create
  params.require(:post).permit(:title, :body)
end


Enter fullscreen mode Exit fullscreen mode

This will ensure that only the title and body attributes are allowed to be passed through to the create action. Any other attributes will be filtered out.

But wait, there's more! You can also specify which attributes are required by using the require method. For example:



def create
  params.require(:post).permit(:title, :body).require(:title)
end


Enter fullscreen mode Exit fullscreen mode

This will ensure that the title attribute is not only permitted, but also required. If the title attribute is not present, the controller action will raise a ActionController::ParameterMissing error.

Now, I know what you're thinking. "This is all well and good, but what if I have a bunch of nested attributes that I want to permit? Do I have to write out every single attribute individually?"

Fear not, my fellow developer friend! Rails has introduced the permit! method, which allows you to permit all attributes and nested attributes. Just be careful with this one, as it can potentially open up your application to malicious input if used improperly.



def create
  params.require(:post).permit!
end


Enter fullscreen mode Exit fullscreen mode

There you have it, a quick overview of strong parameters in Rails.They may seem like a nuisance at times, but trust me, they're worth the effort in the long run to keep your application secure. Happy coding!

Top comments (0)