Rails 4: using both strong params and "normal" params

Question

I'm kind of new to Rails 4. Right now, I'm using both strong params and "normal" params. By normal params I mean the params[:key] which is not permitted.

For example:

Strong params:

def person_params
  params.require(:person).permit(:name, :age)
end

And I use both person_params[:name] and params[:key]. Is this going to be problems in the future? what should I do.

Answer 1

You should always use Strong Parameters.

Strong params was created to avoid the issue of Mass Assignment.

This means that if you directly use your params hash, you run into the risk of someone sending a request with parameters they aren't supposed to use and successfully overwrite them in your models.

This means that, for example, someone could gain admin privileges on your site from their "settings" page by maliciously crafting a request that modifies a hypothetical admin attributes in your User model.

Using strong params gives you the guarantee that only the parameters explicitly allowed by you will pass through to the model, so no attacker should be able to bend your application's restrictions.