Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Mass Assignment"
From NetSec
| Line 1: | Line 1: | ||
| + | |||
| + | == [[Ruby]] == | ||
Typically used in [[Ruby on Rails]], sometimes people will use the following code to create an ActiveRecord object to add a [[database]] entry: | Typically used in [[Ruby on Rails]], sometimes people will use the following code to create an ActiveRecord object to add a [[database]] entry: | ||
| − | <syntaxhighlight lang=ruby> | + | {{code|text=<syntaxhighlight lang=ruby> |
@user=User.new(params[:user]) | @user=User.new(params[:user]) | ||
| − | </syntaxhighlight> | + | </syntaxhighlight>}} |
There have been [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|problems]] with RoR in the past with [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|mass assignment]]. | There have been [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|problems]] with RoR in the past with [[RoR_Patching#Params_Injection_.26_Mass_Assignment_Abuse|mass assignment]]. | ||
| + | |||
| + | == [[PHP]] == | ||
| + | |||
| + | |||
| + | {{code|text=<source lang="php"> | ||
| + | <?php | ||
| + | $object = new object(); | ||
| + | foreach ($_REQUEST as $property => $value) { | ||
| + | $object->$property = $value; | ||
| + | } | ||
| + | ?> | ||
| + | </source>}} | ||
{{expand}} | {{expand}} | ||
Revision as of 04:33, 22 October 2012
Ruby
Typically used in Ruby on Rails, sometimes people will use the following code to create an ActiveRecord object to add a database entry:
|
<syntaxhighlight lang=ruby> @user=User.new(params[:user]) </syntaxhighlight> |
There have been problems with RoR in the past with mass assignment.
PHP
<?php $object = new object(); foreach ($_REQUEST as $property => $value) { $object->$property = $value; } ?> |
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
