From 15f3de20b07f4953fc163a1acdb5a5eef417613e Mon Sep 17 00:00:00 2001 From: AJ Acevedo Date: Fri, 7 Jun 2013 02:38:23 -0400 Subject: Update Getting Started Guide - Strong Parameters modified: guides/source/getting_started.md --- guides/source/getting_started.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'guides') diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md index 1b30f4b728..69ee93925a 100644 --- a/guides/source/getting_started.md +++ b/guides/source/getting_started.md @@ -531,21 +531,28 @@ and change the `create` action to look like this: ```ruby def create - @post = Post.new(params[:post]) - + @post = Post.new(post_params) + @post.save - redirect_to @post + redirect_to @post end + +private + def post_params + params.require(:post).permit(:title, :text) + end ``` Here's what's going on: every Rails model can be initialized with its respective attributes, which are automatically mapped to the respective database columns. In the first line we do just that (remember that -`params[:post]` contains the attributes we're interested in). Then, +`post_params` contains the attributes we're interested in). Then, `@post.save` is responsible for saving the model in the database. Finally, we redirect the user to the `show` action, which we'll define later. +TIP: Note that `def post_params` is private. This new approach prevents an attacker from setting the model’s attributes by manipulating the hash passed to the model. For more information, refer to [this blog post about Strong Parameters](http://weblog.rubyonrails.org/2012/3/21/strong-parameters/). + TIP: As we'll see later, `@post.save` returns a boolean indicating whether the model was saved or not. -- cgit v1.2.3