The goal of this post is to help you better understand the importance of using strong params in your Rails application. Iāll also share how it can be useful to understand why itās used to add security to ones website. I am by no means an expert quite yet on the full capabilities of strong params, but in writing this blog post I am learning the importance of setting up the strong params correctly. I hope to share some helpful advice on setting these up so that when you run into some of those tricky bugs that may confuse you in your code, youāll have some knowledge on how to figure them out.
Iām now into my fifth week as a Flatiron student and have officially begun learning the Ruby on Rails framework for developing web applications. The functionality of Rails is quite incredible and itās been a joy to use! Now, letās move into the nitty-gritty of my topic which is on the importance of Strong Params.
So what are Strong Params?
Before I answer this question, let me give you an analogy to help you understand the scope of this concept.
To understand what strong params are, letās first pretend that you are a bank teller. What would happen if you let all the customers who come into your bank use a fake ID card/bank card to take out any given amount of cash they want? Well youād probably lose your job, have everyone walk out with all the cash, and possibly see some jail time. This would be an illegitimate way to run a bank without verifying all the proper identification. With that said, strong params do this job of protecting your application by providing an interface for protecting attributes from end user assignment.
So what does this look like in code form?
Letās say for example I had created a form for users to submit their favorite article from the local newspaper. This form consisted of a label titled āArticle Nameā, following an input box for the user to fill with an article name. On completion of this form, the user has the ability to submit, and after doing so, runs into an error.
What this error message tells us is that Rails needs to be told what parameters are allowed to be submitted through the form to the database. By default, Rails lets nothing through and will instead raise this error until a developer has whitelisted what parameters they wish to allow to be sent to the database. This can be done by using a private method to encapsulate the permissible parameter. This will allow any of your controller actions the opportunity to use this method and can be specialized in any way within the controller.
As we can see from the picture above, we are requiring that the params will require a key called :article. If this is not included, then it fails and the user gets the ActiveRecord error from before. We are also passing in the :name key to be given full access as a parameter in our methods. After building our strong params method, we are now able to refactor our ācreateā action method to meet the needs of the permissible params needed.
Now that we have refactored our code to give access to our params, a user can now fill out the from on our web application. This will result in a status code of 200 and thus enable a user to submit their favorite article to our database.
