Security concerns aside, if I want to let the user write Rails code to my MySql database (e.g. <%= "Hello world %>, and the application would then parse the code, would that be possible? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Sat, 6 Oct 2007 20:59:27 +0200, Bob Sanders wrote:> Security concerns aside, if I want to let the user write Rails code to > my MySql database (e.g. <%= "Hello world %>, and the application would > then parse the code, would that be possible?Sure: class MyModel < ActiveRecord::Base def do_something_dangerous eval self.a_text_field_containing_ruby_code end end -- Jay Levitt | Boston, MA | My character doesn''t like it when they Faster: jay at jay dot fm | cry or shout or hit. http://www.jay.fm | - Kristoffer --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Howdy Bob - On 6-Oct-07, at 2:59 PM, Bob Sanders wrote:> > Security concerns aside, if I want to let the user write Rails code to > my MySql database (e.g. <%= "Hello world %>, and the application would > then parse the code, would that be possible?(warning "not what you asked, but imo a better solution to user generated content) I have implemented such a feature for email templates using the liquid templating engine. You can benefit from flow control, operators and sandboxing. Good resources are: www.liquidmarkup.org http://mephistoblog.com/ (look at the mephisto source for implementation) providing a context to liquid is the toughest part; not so tough - just need to explicitly tell liquid what objects, attributes associations are avail. Let me know if a bit of code can help you move forward. cheers, Jodi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks a bunch, Jay! That was fast :) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi Jody! That was what I thought might work too :) Thanks for the great advice. I actually just installed the liquid plugin before I saw your post, and I''ll look into Mephisto. Thanks a bunch again for the fabulous advice, Jody. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
..and I can''t believe I just spelled your name incorrectly, Jodi ;) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Bob - On 6-Oct-07, at 3:15 PM, Bob Sanders wrote:> > Hi Jody! > > That was what I thought might work too :) Thanks for the great > advice. I > actually just installed the liquid plugin before I saw your post, and > I''ll look into Mephisto.After writing I realized that depending on your needs there might be another option - I''m looking at this option right now. If you''re not doing templating, FFSB[1] (_why''s FreakyFreaky Sandbox) might be an option. Fully ruby sandboxed syntax - not geared to templates though. The syntax is much sweeter though - the ruby we love - I''ve found liquid syntax to be a bit paintful but certainly a good solution for end user templating. Unfortunately there hasn''t been a commit to FFSB since late 2006. I''ve presently asked _why the status - no response yet. (and np on the spelling. common mistake. Mom was a hippy who loved boys with girls names err spellings) Jodi [1] http://code.whytheluckystiff.net/sandbox/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---