Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In my search I mainly found ways to sanitize data when outputting OR sanitizing single input boxes using:
<%=h @name %> OR ['name = ?', params[:name]]
However, I’m creating an object like so:
@user = User.new( params[:user] )
Now, I could sanitize each key in the params[:user] hash one by one, but I’m sure there is a more elegant technique.
If this is for optimization reasons, use the ‘Sanitize‘ gem. However, since you talk about doing it for every single field, something smells a little wrong here. ActiveRecord already escapes input to avoid SQL injection problems, but you shouldn’t need to HTML-escape every single thing that goes into your database (and doing so could cause issues later down the line if you want to process the original data in some way). The only things you may want to sanitize before they go into the database, for performance reasons, are things like Rich Text Editor input fields, such as data coming from TinyMCE, where you actually want to filter the data against a white-list, not just escape it with simple string conversions.