Params & Strong Parameters
Accessing request parameters and managing allow lists
Rails params provides unified hash access to URL parameters, query strings, form data, and JSON bodies.
params sources:
URL segment:
/posts/:idโparams[:id]Query string:
?page=2โparams[:page]Form data:
<input name="post[title]">โparams[:post][:title]JSON Body:
{"post": {"title": "..."}}โparams[:post][:title]
Strong Parameters is a security feature introduced in Rails 4. It prevents Mass Assignment attacks (where users sneak in fields like admin=true).
def post_params
params.require(:post).permit(:title, :content, :category_id)
end
require verifies the required parameter key, and permit whitelists only allowed fields. Non-permitted fields are automatically ignored.
Key Points
Access URL, query string, form data via params hash
params[:id] โ extract value from URL segment
params.require(:post) โ validate required key (400 error if missing)
.permit(:title, :content) โ add allowed fields to whitelist
Non-permitted fields (e.g., admin, role) are auto-removed
Safely use with Model.create(post_params) or Model.update(post_params)
Pros
- ✓ Fundamentally blocks Mass Assignment attacks
- ✓ Allowed fields are explicit in code
- ✓ Different allowed fields per controller
- ✓ Nested parameters supported
Cons
- ✗ Easy to forget adding new fields to permit
- ✗ Complex nested structures make permit code verbose
- ✗ Array/hash parameter permit syntax is not intuitive