attr_accessible is used to identify attributes that are accessible by
your controller methods. This is to protect your models from being
written to by malicious users posting values that they shouldn't be
into your create and update methods. All of your fields are blank
except the one that you specified to be accessible because rails is
doing it's job :)
attr_accessible will only allow access to the attributes that you
specify, denying the rest. attr_protected will deny access to the
attributes that you specify, allowing the rest, and specifying neither
in your model will allow access to all attributes.
attr_accessor is an easy way to create read and write accessors in your
class. attr_accessor :myvar replaces the following.
def myvar
@myvar
end
def myvar=(myvar)
@myvar=myvar
end
另外 railscasts.com 上有關於 attr_accessible 安全相關的視頻
http://railscasts.com/episodes/26-hackers-love-mass-assignment