Ask A Question

Notifications

You’re not receiving notifications from this thread.

Go Rails' Stripe lesson and strong params

Mark M. asked in Rails

Hello,

I recently watched the Go Rails Stripe tutorial. In it, Chris creates subscriptions like this:

def create_subscription
  customer = # set customer...
  subscription = # create subscription...

  # Set initial subscription information
  user.update(
    stripe_id:      customer.id,
    card_last4:     params[:last4],
    card_exp_month: params[:exp_month],
    card_exp_year:  params[:exp_year],
    card_brand:     params[:card_brand],
    # ...
  )
end

Is this a secure approach for Rails 5 since we're not using strong params? I'm initially thinking yes (since we're explicitly setting which params can be updated by user.update) but I wanted to double-check with all of you since I'm new to Rails.

Thanks!

Reply

Hey Mark,

It's a great question! Here we were skipping strong params. In either case, it'll accept any input the browser sends over. We're explicitly setting columns in this case which is safe.

The problem that strong_params prevents is attackers who add in extra fields into the HTML and submit something like user[admin]=true that you weren't expecting. Strong params makes a whitelist of attributes it will accept, so if you passed in admin, it will ignore it or throw an error.

Since we're explicitly setting a param to a column, it has the same effect. Rails added strong params so you didn't have to manually write all that out every time.

Reply

Thanks for such a detailed response, Chris!

Reply

+1

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 81,842+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    Screencast tutorials to help you learn Ruby on Rails, Javascript, Hotwire, Turbo, Stimulus.js, PostgreSQL, MySQL, Ubuntu, and more.

    © 2024 GoRails, LLC. All rights reserved.