How much can be dangerous a '@class_object_instance.save!(:validate => false)' method?
I am using Ruby on Rails 3.0.9 and I would like to 开发者_如何学JAVAknow "how much can be dangerous" to use the following statement in order to save a record in the database:
@user.save!(:validate => false)
That is, what can happen? For example, can a malicious user to hack something (eg: set some not allowed value) in the database?
Notice: I am referring mostly to the :validate => false
part of the above code that makes it possible to skip validation processes.
Can a malicious user 'hack something'? That depends. :validate => false
disables any validation logic in the class @user
belongs to. If you've mass-assigned the parameters you wanted to update in the normal way, you still get all the escaping which will protect you from SQL injection type attacks.
However if the integrity of the application rests on something on @user
being valid, you might be in trouble- think of users setting their own account balances, adding extra subscriptions for free, altering expiry dates etc...
I'm not sure what your application does. Look at the relevant validation logic, question why it's there, then ask yourself what would happen if it were disabled and something broke. In general :validate => false
is not a good idea.
精彩评论