Home/ Questions/Q 7076703
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T06:19:50+00:00

I’m building a community website where users sign up and create profiles. Now when

  • 0

I’m building a community website where users sign up and create profiles.
Now when a user has signed up they can click a link to take them to the edit profile area of the websites.

Here they can fill in their name, age, select, birthday and fill out things such as personal stats, about me etc.

I’m wondering what is the best way to protect my profiles table from malicious hackers? Most similar websites don’t seem to have any kind of validation when it comes to their edit profile section of the website. So a user can fill in nothing and still submit a form with no issue.

I’m wonder what is the best way to allow this kind of functionality but at the same time protect my database?

Should I just be setting maximum length validation rules amongst other things?
I’m not quite sure how to deal with this.

I have drop down select menus, text area boxes, and plenty text fields which data about the user will be entered in to.

How would you deal with this and/or what is the most appropriate way to deal with this?

Kind regards

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The most common threats to look out for are attempts to elevate privilege through this class. For instance if you have a user table with an admin attribute used to determine if a user is an admin, even if this attribute cannot be set in the form you describe a user can craft a post to the action of the form on the page with &admin=true or &admin=1 depending on the corresponding column data type.

    The protection against this is specifying in your model the attributes that are updatable through mass-assignment.

    You do this with the attr_accessible method.

    attr_accessor :x, :y, :admin
attr_accessible :x, :y

    This will prevent the admin attribute from being updated through an update_attributes call typically used in an edit action.

    The other thing to watch out for is automated sign-ups. For this there are a couple of things you can do. The most common is to implement a captcha. Without this someone could write a script that creates 1_000_000 users in your table making it very difficult to determine which are real and which are fake. You may also think about logging sign-up attempts by IP and restricting the number of requests for an hours time, for instance.

    As for your edit page protection, the most common way to protect this is to use a before_filter in your controller that makes sure the user has some piece of session information before allowing the page to be rendered.

    class UsersController < ApplicationController

  before_filter :protect, :only => [:edit]

  private

  def protect
    unless current_user
      redirect_to login_path
    end
  end

end

    Just some examples. I’m sure there are many more ways to protect yourself but this will at least give you an idea of the places that need attention to prevent the most basic attempts at wrecking your day. The problem with this topic is that the techniques used to break/hijack your site are ever-evolving. Some people think they are covered and get hit anyway. Backup your data frequently via script, write other scripts that check the integrity of your database. If you see a sudden leap in user instances of the table you’ll know something is up, review the logs and restore your data.

    If your site is popular, it will get attacked, period.

    Another thing regarding captcha, I’ve heard that ANYTHING displayed on a screen can be scraped by script so as safe as this may seem there are talented people out there that can dance around your security like the Macarena.

    Be as proactive as possible and have your reactive measures well thought-out.

    • 0