If I’m not mistaken, a user can send POST data from outside of a web
browser; I think this is something that is done to brute-force form
logins, or to automate spam, etc.
Yes, and often for testing.
In my app, which operates like a forum, Comment objects have a boolean
attribute “sticky” which determines if that Comment is displayed before
all other comments.
I was thinking, what would happen if a user forcefully sent "sticky =>
true" in POST data? I would imagine my app’s new_comment action would
simply create a new object from that data and falsely make his or her
post a sticky-post. Is this a possibility, and is it something I should
be trying to prevent? Just something I recently pondered.
That is a danger if you’re doing something like:
MyModel.create(params[:my_model])
without checking the param values .
You probably want to take a look at the attr_protected method:
http://rails.rubyonrails.org/classes/ActiveRecord/Base.html#M001005
James.