I''ve done a fair amount of development with Tapestry. One of the components available in Tapestry is the table component. One of the features of this component is that it makes creating sortable column headings reasonably easy. Is there such a thing in rails (that also plays nicely with paging)? Regards, Glen _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Hi,
Take this with a grain of salt since I only started learning ruby/rails a
day ago but the way I have done it is have a SortHelper (see below). The in
my ApplicationController I add
helper :sort
include SortHelper
Then in my view each of my table headers look something like
<%= sort_link_to "created_on", {:caption => "Created"}
%>
And finally in my controller I use the gen_order_by method with something
like
@issue_pages, @issues = paginate :issue, :order_by => gen_order_by(),
:per_page => 10
This seems to work well enough for simple scenario where we are sorting on
column values. I have not yet found a nice way to sort based on a field in
object related to the object I am currently displaying.
HTH,
Pete
On 10/11/05, Glen Stampoultzis
<gstamp-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:>
> I''ve done a fair amount of development with Tapestry. One of the
> components available in Tapestry is the table component. One of the
features
> of this component is that it makes creating sortable column headings
> reasonably easy. Is there such a thing in rails (that also plays nicely
with
> paging)?
>
> Regards,
>
> Glen
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
Thanks, seems like a reasonable solution. I''m surprised something like this isn''t a standard part of rails yet. It''s just a matter of time I guess. :-) On 11/10/05, Peter Donald <peter.j.donald-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi, > > Take this with a grain of salt since I only started learning ruby/rails a day ago but the way I have done it is have a SortHelper (see below). The in my ApplicationController I add > > helper :sort > include SortHelper > > Then in my view each of my table headers look something like > > <%= sort_link_to "created_on", {:caption => "Created"} %> > > And finally in my controller I use the gen_order_by method with something like > > @issue_pages, @issues = paginate :issue, :order_by => gen_order_by(), :per_page => 10 > > This seems to work well enough for simple scenario where we are sorting on column values. I have not yet found a nice way to sort based on a field in object related to the object I am currently displaying. > > HTH, > > Pete > > > > > On 10/11/05, Glen Stampoultzis <gstamp-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > I''ve done a fair amount of development with Tapestry. One of the components available in Tapestry is the table component. One of the features of this component is that it makes creating sortable column headings reasonably easy. Is there such a thing in rails (that also plays nicely with paging)? > > > > Regards, > > > > Glen > > > > > > _______________________________________________ > > Rails mailing list > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > > >
My application_helper is attached. It passes the ordering back in the params[:order_by], so you can: @model_pages, @models = paginate :model, order_by => (@params[:order_by] or "modified_on DESC") In addition, it displays an up/down arrow for the current sort field. Examples below: <%=th "field_name"%> #=> <th><a href="/current/action/?order_by=field_name">Field name</a></th> <%=th "field_name", :class => "css", :display => "Other name" %> #=> <th class="css"><a href="/current/action/?order_by=field_name">Other name</a></th> <%=th "field_name", :sort => false %> #=> <th>Field name</th> On 10/11/05, Glen Stampoultzis <gstamp-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Thanks, seems like a reasonable solution. I''m surprised something > like this isn''t a standard part of rails yet. It''s just a matter of > time I guess. :-) > > On 11/10/05, Peter Donald <peter.j.donald-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > Hi, > > > > Take this with a grain of salt since I only started learning ruby/rails a day ago but the way I have done it is have a SortHelper (see below). The in my ApplicationController I add > > > > helper :sort > > include SortHelper > > > > Then in my view each of my table headers look something like > > > > <%= sort_link_to "created_on", {:caption => "Created"} %> > > > > And finally in my controller I use the gen_order_by method with something like > > > > @issue_pages, @issues = paginate :issue, :order_by => gen_order_by(), :per_page => 10 > > > > This seems to work well enough for simple scenario where we are sorting on column values. I have not yet found a nice way to sort based on a field in object related to the object I am currently displaying. > > > > HTH, > > > > Pete > > > > > > > > > > On 10/11/05, Glen Stampoultzis <gstamp-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > > I''ve done a fair amount of development with Tapestry. One of the components available in Tapestry is the table component. One of the features of this component is that it makes creating sortable column headings reasonably easy. Is there such a thing in rails (that also plays nicely with paging)? > > > > > > Regards, > > > > > > Glen > > > > > > > > > _______________________________________________ > > > Rails mailing list > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > > > > > > > > > > _______________________________________________ > > Rails mailing list > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > > > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
On Tuesday 11 Oct 2005 11:20, Kyle Maxwell wrote:> My application_helper is attached. It passes the ordering back in the > params[:order_by], so you can:Thanks, that''s a useful little bit of code! You had a syntax error though, missing a closing } on line 23, which should read: "<th class=\"#{options[:class]}\">" + text + "</th>" Also, in your example for the controller, you missed a colon on your order_by parameter: @model_pages, @models = paginate :model, :order_by => (@params[:order_by] or "modified_on DESC") Not being picky here, and these are simple typo errors to fix, just trying to clear matters up if any total noobs try your code and can''t get it to work. An important thought about security too - I''m not such an expert on SQL injection that I can immediately think of dangerous examples to give, but your code appears to take whatever is in the URL and put it directly into the SQL statement, which undoubtedly does allow for some kinds of SQL injection attacks. I''m not sure what to suggest, since the following does not work: :order_by => ["?", @params[:order_by]] However, altering the URL definitely does allow the insertion of arbitrary text into the SQL, which can probably be abused by someone with the knowhow, so at the moment I''d possibly be a little cautious using this approach. Can''t find much on the subject, other than this dead rubylandia forum post, brought back to life by Google cache: http://rubyurl.com/TeK No actual solution offered there though. There''s a few bug reports which seems to be similar, and closed as "won''t fix": http://dev.rubyonrails.com/ticket/1420 http://dev.rubyonrails.com/ticket/1354 So perhaps it''s not such a problem on ORDER BY, but I''m not sure, and not enough of an SQL injection expert to say. Can anyone else clarify? All I know is that what''s happening here - taking some user input and putting it directly into the database as it comes - sets my "danger" alarm bells ringing! ~Dave -- Dave Silvester Rent-A-Monkey Website Development Web: http://www.rentamonkey.com/
On 10/11/05, Kyle Maxwell <kyle-FOSOgQihYpQjo0HpFSRKWA@public.gmane.org> wrote:> My application_helper is attached. It passes the ordering back in the > params[:order_by], so you can: > > @model_pages, @models = paginate :model, order_by => > (@params[:order_by] or "modified_on DESC")this seems to open up a SQL-injection attack as an attacker could pass in arbitrary SQL by modifying the "order_by" parameter, no? Sebastian
On 11/10/05, Sebastian Kanthak <skanthak-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On 10/11/05, Kyle Maxwell <kyle-FOSOgQihYpQjo0HpFSRKWA@public.gmane.org> wrote: > > My application_helper is attached. It passes the ordering back in the > > params[:order_by], so you can: > > > > @model_pages, @models = paginate :model, order_by => > > (@params[:order_by] or "modified_on DESC") > > this seems to open up a SQL-injection attack as an attacker could pass > in arbitrary SQL by modifying the "order_by" parameter, no?Yes. Much better to have an predefined lists of ''order by'' clauses and passing just a key in the "order by" parameter. Something like ?order_by=1 or ?order:by=order_by_name_desc -- Manuel a veces :) a veces :( pero siempre trabajando duro para Simplelógica: apariencia, experiencia y comunicación en la web. http://simplelogica.net # (+34) 985 22 12 65 ¡Ah! y escribiendo en Logicola: http://logicola.simplelogica.net
On Oct 11, 2005, at 6:08 AM, Dave Silvester wrote:> On Tuesday 11 Oct 2005 11:20, Kyle Maxwell wrote: > >> My application_helper is attached. It passes the ordering back in >> the >> params[:order_by], so you can: >> > > An important thought about security too - I''m not such an expert on > SQL > injection that I can immediately think of dangerous examples to > give, but > your code appears to take whatever is in the URL and put it > directly into the > SQL statement, which undoubtedly does allow for some kinds of SQL > injection > attacks. > > I''m not sure what to suggest, since the following does not work:http://dev.rubyonrails.com/ticket/2408 This will solve the problem if you pass :order_by in the URL and set it with routes. -- -- Tom Mornini
I have a page that updates parto of it by loading a partial rhtml via AJAX without reloading the main page. Everything works, except I have all my international accents appear as ??? ... any ideas how to fix this? I tried saving the pages as UTF-8, but it didn''t solve my problems. Alessandro
On Oct 11, 2005, at 12:04 PM, Alessandro Cauduro wrote:> I have a page that updates parto of it by loading a partial rhtml > via AJAX > without reloading the main page. Everything works, except I have > all my > international accents appear as ??? ... any ideas how to fix this? > I tried > saving the pages as UTF-8, but it didn''t solve my problems.Are you explicitly setting the charset in the header? headers["content-type"] = "text/html; charset=utf-8" Alternatively, if you''re using Apache, have you set the default charset in the .htaccess file? AddDefaultCharset utf-8 - Jamis
Well, once you get to ORDER BY, there''s not a whole lot you can do without starting a new query. ActiveRecord only lets you do one query in find_by_sql. So you''re limited to messing with the LIMIT, or running a stored procedure. Running a stored procedure could be a big deal, but I don''t have any so I don''t care. The solution is to patch line 829 of activerecord/base.rb to not allow the word procedure in a :order parameter. If you want to play it safe, you could also disallow semicolons, or require the :order parameter to match a regular expression. On 10/11/05, Tom Mornini <tmornini-W/9V78bTXriB+jHODAdFcQ@public.gmane.org> wrote:> On Oct 11, 2005, at 6:08 AM, Dave Silvester wrote: > > > On Tuesday 11 Oct 2005 11:20, Kyle Maxwell wrote: > > > >> My application_helper is attached. It passes the ordering back in > >> the > >> params[:order_by], so you can: > >> > > > > An important thought about security too - I''m not such an expert on > > SQL > > injection that I can immediately think of dangerous examples to > > give, but > > your code appears to take whatever is in the URL and put it > > directly into the > > SQL statement, which undoubtedly does allow for some kinds of SQL > > injection > > attacks. > > > > I''m not sure what to suggest, since the following does not work: > > http://dev.rubyonrails.com/ticket/2408 > > This will solve the problem if you pass :order_by in the URL and set > it with > routes. > > -- > -- Tom Mornini > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >