Reputation: 579
Rails form protection questions, hidden field
I have a live rails website and I want to have a form with a lot of fields on it. I have set up validations and allowed formatting for every field. I've tested it quite a bit and it seems to catch anything I throw at it. I think it's almost ready to go live, but I want to quadruple check if there's anything else I should do to protect it. My site has a low volume of visitors, but I want it to be a safe as possible. I'd like to avoid using a captcha if I can. I've read that you can use a hidden field to protect forms against bots. Do people recommend this instead of using a captcha, or even using it with a captcha?
my form is really standard:
<% form_for(@entry) do |f| %>
...
<%= f.submit 'Create' %>
<% end %>
Any suggestions or code samples would be greatly appreciated.
Upvotes: 1
Views: 872
Answers (2)
Reputation: 17246
You should whitelist a list of attributes that the user is allowed to edit in your model using attr_accessible
Upvotes: 2
Related Questions
- Prevent automated robots submitting forms to ruby on rails application?
- submit using hidden field
- Form hidden fields and security
- How can I secure this form post from manipulation
- Alternative to using hidden fields in Rails. Keeping things secure
- Rails secure with hidden field and firebug?
- ROR3 : hidden_field security
- Secure hidden variables in rails?
- Prevent modification ("hacking") of hidden fields in form in rails3?
- Is the use of hidden fields in forms insecure?