I have understood that params.require / params.expect is used for filtering parameters.
params.expect(post: [ :title, :summary ])
But which attacks does it prevent?
Respectively: What could happen without filtering parameter?
The database-table has only a set of defined columns each with additional constraints. It is not possible to write something else into the table. The database itself should prevent writing something invalid to it. So why is this additional filtering necessary?
Can someone provide an easy to get example what could happen without filtering parameter?
I guess, with an example I might get it.
Let's say you have a users table. It has columns username, password (or password_hash) and admin.
Users should be able to change their own password, but should not be able to make themselves admin and the username should never change.
If your change password form doesn't have parameter permitting and the raw parameters are passed straight to the database, then they could use that form to change their username or make themselves admin.
A less drastic example using your example structure: Should a user be able to set the created_at and updated_at fields of the post to whatever they like?