The official way of preventing security risks with mass-assignment is using attr_accessible . However,

Question

0

Asked: May 31, 20262026-05-31T05:13:49+00:00 2026-05-31T05:13:49+00:00

The official way of preventing security risks with mass-assignment is using attr_accessible . However,

0

The official way of preventing security risks with mass-assignment is using attr_accessible. However, some programmers feel this is not a job for the model (or at least not only for the model). The simplest way of doing it in a controller is slicing the params hash:

@user = User.update_attributes(params[:user].slice(:name))

However the documentation states:

Note that using Hash#except or Hash#slice in place of attr_accessible
to sanitize attributes won’t provide sufficient protection.

Why is that? Why a whitelist-slicing of params does not provide enough protection?

UPDATE: Rails 4.0 will ship strong-parameters, a refined slicing of parameters, so I guess the whole slicing thing was not so bad after all.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-31T05:13:50+00:00

Editorial Team

2026-05-31T05:13:50+00:00Added an answer on May 31, 2026 at 5:13 am

The problem with slice and except in controller might occur in combination with accept_nested_attributes_for in your model. If you use nested attributes, you would need to slice parameters on all places, where you update them in controller, which isn’t always the easiest task, especially with deeply nested scenarios. With using attr_accesible you don’t have this problem.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

The official way of preventing security risks with mass-assignment is using attr_accessible . However,

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply