It won't help. After @pk.update_attr(params[:pk]) you drop mailicious pub key to... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		homakov on March 5, 2012 \| parent \| context \| favorite \| on: How github was hacked It won't help. After @pk.update_attr(params[:pk]) you drop mailicious pub key to user params[:pk][:user_id] no way

omgsean on March 5, 2012 [–]

Ah that's right, in this case he's trying to make something that belongs to him belong to someone else. Regardless, something like user_id should be protected and really if you're setting up a website whose primary audience is made up of hackers you should be whitelisting on every model.

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact