aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/getting_started.md
diff options
context:
space:
mode:
Diffstat (limited to 'guides/source/getting_started.md')
-rw-r--r--guides/source/getting_started.md15
1 files changed, 11 insertions, 4 deletions
diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md
index 1b30f4b728..69ee93925a 100644
--- a/guides/source/getting_started.md
+++ b/guides/source/getting_started.md
@@ -531,21 +531,28 @@ and change the `create` action to look like this:
```ruby
def create
- @post = Post.new(params[:post])
-
+ @post = Post.new(post_params)
+
@post.save
- redirect_to @post
+ redirect_to @post
end
+
+private
+ def post_params
+ params.require(:post).permit(:title, :text)
+ end
```
Here's what's going on: every Rails model can be initialized with its
respective attributes, which are automatically mapped to the respective
database columns. In the first line we do just that (remember that
-`params[:post]` contains the attributes we're interested in). Then,
+`post_params` contains the attributes we're interested in). Then,
`@post.save` is responsible for saving the model in the database.
Finally, we redirect the user to the `show` action,
which we'll define later.
+TIP: Note that `def post_params` is private. This new approach prevents an attacker from setting the model’s attributes by manipulating the hash passed to the model. For more information, refer to [this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/).
+
TIP: As we'll see later, `@post.save` returns a boolean indicating
whether the model was saved or not.