Why isn't there any validation on per_page parameter

[mauro-ni]

The page parameter is validated and a proper exception is raised in case of errors:
https://github.com/mislav/will_paginate/blob/master/lib/will_paginate/page_number.rb

Why isn't there any validation on per_page parameter?
https://github.com/mislav/will_paginate/blob/master/lib/will_paginate/per_page.rb

If you try to paginate providing per_page: -1 then you get an error!

ActiveRecord::StatementInvalid: Mysql2::Error: You have an error in your SQL syntax; check the 
manual that corresponds to your MySQL server version for the right syntax to use near '-1 OFFSET 
0' at line 1: SELECT  `users`.* FROM `users` WHERE `users`.`type` IN ('admin') LIMIT -1 OFFSET 0

Many thanks in advance.
Mauro

[BryanH]

Per-page is being validated: tour error message indicates a failed validation.

If you are getting per-page as a user-supplied value, then it is up to you to validate it, just as you must validate ALL data received from the user.

Check out validates_numericality_of. You will want integers only with a value larger than 0.

Be sure to validate server side to ensure the user cannot override it.

[mislav]

Thank you @BryanH.

@maurosbu The reason why will_paginate performs the validation of page parameter and not of per_page is because the former comes from the outside of the application in most cases (e.g. via the ?page=3 query parameter), while the latter should be embedded and controlled inside the app based on memory/performance requirements.

If you allow per_page to be specified by the user (this is considered advanced usage) then you MUST validate the values yourself, and also cap it to some maximum value (e.g. 100 per page max). I do not find it appropriate that will_paginate handles this validation.