diff options
| author | Chris Sinjakli <chris@sinjakli.co.uk> | 2014-09-14 12:22:29 +0200 |
|---|---|---|
| committer | Chris Sinjakli <chris@sinjakli.co.uk> | 2014-12-15 14:51:07 +0000 |
| commit | 8f8ccb9901cab457c6e1d52bdb25acf658fd5777 (patch) | |
| tree | a98563a5c43183cf3a3f0ed5ddad3e73e9d88801 /guides/source | |
| parent | c308fec0f543c5b5a95bf529b5885964ae8b0f61 (diff) | |
| download | rails-8f8ccb9901cab457c6e1d52bdb25acf658fd5777.tar.gz rails-8f8ccb9901cab457c6e1d52bdb25acf658fd5777.tar.bz2 rails-8f8ccb9901cab457c6e1d52bdb25acf658fd5777.zip | |
Don't convert empty arrays to nils when deep munging params
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/action_controller_overview.md | 4 | ||||
| -rw-r--r-- | guides/source/security.md | 8 |
2 files changed, 6 insertions, 6 deletions
diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md index 4e36a62583..57546da389 100644 --- a/guides/source/action_controller_overview.md +++ b/guides/source/action_controller_overview.md @@ -112,8 +112,8 @@ NOTE: The actual URL in this example will be encoded as "/clients?ids%5b%5d=1&id The value of `params[:ids]` will now be `["1", "2", "3"]`. Note that parameter values are always strings; Rails makes no attempt to guess or cast the type. -NOTE: Values such as `[]`, `[nil]` or `[nil, nil, ...]` in `params` are replaced -with `nil` for security reasons by default. See [Security Guide](security.html#unsafe-query-generation) +NOTE: Values such as `[nil]` or `[nil, nil, ...]` in `params` are replaced +with `[]` for security reasons by default. See [Security Guide](security.html#unsafe-query-generation) for more information. To send a hash you include the key name inside the brackets: diff --git a/guides/source/security.md b/guides/source/security.md index b1c5b22338..b3869b1ba5 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -942,7 +942,7 @@ unless params[:token].nil? end ``` -When `params[:token]` is one of: `[]`, `[nil]`, `[nil, nil, ...]` or +When `params[:token]` is one of: `[nil]`, `[nil, nil, ...]` or `['foo', nil]` it will bypass the test for `nil`, but `IS NULL` or `IN ('foo', NULL)` where clauses still will be added to the SQL query. @@ -953,9 +953,9 @@ request: | JSON | Parameters | |-----------------------------------|--------------------------| | `{ "person": null }` | `{ :person => nil }` | -| `{ "person": [] }` | `{ :person => nil }` | -| `{ "person": [null] }` | `{ :person => nil }` | -| `{ "person": [null, null, ...] }` | `{ :person => nil }` | +| `{ "person": [] }` | `{ :person => [] }` | +| `{ "person": [null] }` | `{ :person => [] }` | +| `{ "person": [null, null, ...] }` | `{ :person => [] }` | | `{ "person": ["foo", null] }` | `{ :person => ["foo"] }` | It is possible to return to old behaviour and disable `deep_munge` configuring |