开发者

How much can be dangerous a '@class_object_instance.save!(:validate => false)' method?

I am using Ruby on Rails 3.0.9 and I would like to 开发者_如何学JAVAknow "how much can be dangerous" to use the following statement in order to save a record in the database:

@user.save!(:validate => false)

That is, what can happen? For example, can a malicious user to hack something (eg: set some not allowed value) in the database?

Notice: I am referring mostly to the :validate => false part of the above code that makes it possible to skip validation processes.


Can a malicious user 'hack something'? That depends. :validate => false disables any validation logic in the class @user belongs to. If you've mass-assigned the parameters you wanted to update in the normal way, you still get all the escaping which will protect you from SQL injection type attacks.

However if the integrity of the application rests on something on @user being valid, you might be in trouble- think of users setting their own account balances, adding extra subscriptions for free, altering expiry dates etc...

I'm not sure what your application does. Look at the relevant validation logic, question why it's there, then ask yourself what would happen if it were disabled and something broke. In general :validate => false is not a good idea.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜