---
title: Use Strong Parameters for Controller Input
impact: HIGH
impactDescription: prevents Mass Assignment vulnerabilities
tags: rails, security, mass-assignment, vulnerability, quality
---

## Use Strong Parameters for Controller Input

Explicitly define which parameters are allowed for mass assignment in Rails controllers to prevent malicious users from updating unintended fields.

**Incorrect (unsafe params):**

```ruby
def update
  @user = User.find(params[:id])
  @user.update(params[:user]) # Mass alignment vulnerability
end
```

**Correct (strong parameters):**

```ruby
def update
  @user = User.find(params[:id])
  @user.update(user_params)
end

private

def user_params
  params.require(:user).permit(:first_name, :last_name, :email)
end
```

**Tools:** Brakeman, Rails default
---