Why I do not use strong parameters in Rails
benjamin roth
384

When our application was a Rails one we used the same approach we use now that we converted it to Roda a few months ago. Rather than using the slice trick, I’ll explicitly convert each individual parameter to the type I expect them. This works for us because usually we only have a handful params sent to each request and I never trusted the automatic binding of Rails, which was the source of many security issues in Rails historically.

So, I’d do things like “id = Integer(params[‘id’])” to make sure it will raise an exception if the id param wasn’t sent as an integer. Even for text params I’d be sure to call params[‘name’].to_s. For more complex validations I guess I’d use an specialized library, such as Dry Validation or any other/custom one.

I’ve never used strong params and I had the same feeling as you that it was just a patch to GitHub’s security issues.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.