Rails Strong Params

Photo by Julia Larson from Pexels

When receiving input from outside of your app, there’s a risk of inadvertently giving users access to change sensitive information that they shouldn’t be changing. For example, a user should not be able to change their account balance (ex. They could change their actual account balance of $20 to display a $20 million balance, without depositing any money). However, you would want a user to enter transaction data that will adjust account balance based on the account id.

Rails provides programmers the ability to restrict what information users have access to in the Rails back end. This is done by specifically identifying what attributes are allowed in params. Params is an abbreviation of parameters and it’s a hash that contains the data being passed in to the controller.

The convention is to define the params method as a private method at the bottom of the controller file. Name the params method using the name of the controller with underscore params. You call require on params and pass in the name of the controller. Then you call permit on that and pass in only the attributes you want to be permissible.

This method restricts the user to selecting which of their accounts they want to transact (ex. a savings or checking account), it allows the user to pass in what type of transaction they are conducting (ex. deposit or withdraw), and it allows the user to enter the transaction amount.

Now that the params method is in place, incoming data will be checked before it’s allowed through. If it passes the check, then it will have access to the appropriate action. For example, to create a transaction, the strict params would be used in the create action.

The user would enter their transaction information in a digital form. If the user’s checking account ID was 7 and they were withdrawing $100, the params hash passed would be:

For more detailed information on using strong params, consult the documentation here.

And then go celebrate your new found control with Janet here.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What’s the point of Functional Programming?

Yet another post about system design interview

#NoBigProcesses — An Example Would Come in Handy Right About Now

Brian Marick

How are integers stored in memory using two’s complement?

Track DogeCoin Real Time Price with Python

Here’s Why Python Became So Popular

Cadence Contract Security Internal Review Checklist

Exceptions, Checked and Unchecked Exceptions, and Handling Methods in Java: A Complete Guide

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Wendy Raven McNair

Wendy Raven McNair

More from Medium

Amazon Selling Partner API Authorization Guide with Ruby on Rails.

Seeding Data with Faker in Ruby

The logo for the Faker library

Safely storing Api Keys and App Credentials in Ruby on rails

Creating a basic geolocation search application with PostGIS and Rails (Part I)