In my own framework, I have a tool which converts forms into queries and
has certain features I''m not seeing talked about for ActiveRecord.
Before I go transcribing the tools I''m used to working with into Ruby ,
I figured I''d make sure that AR doesn''t already have a
"rails way" to do
some of these things.
Sorry this is a bit long, but I think an example is needed to explain
what I''m looking for.
Let''s assume a form has these input fields (searching for cars), and
for
simplicity we''ll assume these names correspond to model and SQL fields
of the same names.
autoMake
autoModel
autoYear
autoColor
To perform this query in my system (ruby-ish pseudo code)
foundAutos = recordData(
inputs = ''autoMake, autoModel, autoYear, autoColor'',
where = FORM)
inputs = a list of input fields that are allowed to participate in the
search. Effectively what happens is that the [params] array is filtered
to eliminate any elements not specified in inputs, then that array is
passed on to the query builder. This allows complete automation of the
query building w/o fear of parameter injection.
where = is like AR''s :conditions. There''s several options for
passing
info, and assigning it the constant FORM declares that the query is
built based on keys passed via params (vs literal and sem-literal
queries like AR also does).
Question 1: input filtering
So far in AR, I don''t see a way to automate an entire query from form
data except through the technique of (:all, :conditions =>
params[:object]) and that does not appear to offer any input filter to
prevent parameter injection. Am I correct in this? AWDWR seems to imply
this technique can be dangerous, and I would suspect param injection is
why.
Question 2: parameter operators
In my system, I have a convention for altering whether parameters are
searched using = != or LIKE by adding the character Op (for
"operator")
to the end of a parameter name like autoYearOp, the value of that
parameter is one of ''eq, neq, bw, ew, lt, lte, gt, gte, cn, btw for
EQual to, Not Equal, Begins With, Ends With, etc.
So, if my params include autoYear = 1997 and autoYear = gte, then the
query builder generates "autoYear >= 1997," or if autoColor =
''blu'' and
autoColorOp = ''bw'', then I''ll get "autoColor
LIKE ''blu%''".
I don''t see ActiveRecord having anything like that. Does it?
If Rails has nothing built-in that''s fine, I can develop my own methods
for this, I just don''t want to re-create existing features.
Thanks.
-- gw
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On 10/30/07, Greg Willits <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > In my own framework, I have a tool which converts forms into queries and > has certain features I''m not seeing talked about for ActiveRecord. > Before I go transcribing the tools I''m used to working with into Ruby , > I figured I''d make sure that AR doesn''t already have a "rails way" to do > some of these things. > > Sorry this is a bit long, but I think an example is needed to explain > what I''m looking for. > > Let''s assume a form has these input fields (searching for cars), and for > simplicity we''ll assume these names correspond to model and SQL fields > of the same names. > > autoMake > autoModel > autoYear > autoColor > > To perform this query in my system (ruby-ish pseudo code) > > foundAutos = recordData( > inputs = ''autoMake, autoModel, autoYear, autoColor'', > where = FORM) > > inputs = a list of input fields that are allowed to participate in the > search. Effectively what happens is that the [params] array is filtered > to eliminate any elements not specified in inputs, then that array is > passed on to the query builder. This allows complete automation of the > query building w/o fear of parameter injection. > > where = is like AR''s :conditions. There''s several options for passing > info, and assigning it the constant FORM declares that the query is > built based on keys passed via params (vs literal and sem-literal > queries like AR also does). > > Question 1: input filtering > > So far in AR, I don''t see a way to automate an entire query from form > data except through the technique of (:all, :conditions => > params[:object]) and that does not appear to offer any input filter to > prevent parameter injection. Am I correct in this? AWDWR seems to imply > this technique can be dangerous, and I would suspect param injection is > why. > > Question 2: parameter operators > > In my system, I have a convention for altering whether parameters are > searched using = != or LIKE by adding the character Op (for "operator") > to the end of a parameter name like autoYearOp, the value of that > parameter is one of ''eq, neq, bw, ew, lt, lte, gt, gte, cn, btw for > EQual to, Not Equal, Begins With, Ends With, etc. > > So, if my params include autoYear = 1997 and autoYear = gte, then the > query builder generates "autoYear >= 1997," or if autoColor = ''blu'' and > autoColorOp = ''bw'', then I''ll get "autoColor LIKE ''blu%''". > > I don''t see ActiveRecord having anything like that. Does it? > > If Rails has nothing built-in that''s fine, I can develop my own methods > for this, I just don''t want to re-create existing features. >ActiveRecord performs input sanitization with the :conditions option: Foo.find :all, :conditions => {:foo => params[:foo]} Foo.find :all, :conditions => [''foo = ?'', params[:foo]] For more advanced conditions, see the Ambition or ez_where libraries: http://errtheblog.com/post/11998 http://brainspl.at/articles/2006/01/30/i-have-been-busy -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Olson wrote:> On 10/30/07, Greg Willits <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: >> >> >> where = is like AR''s :conditions. There''s several options for passing >> this technique can be dangerous, and I would suspect param injection is >> So, if my params include autoYear = 1997 and autoYear = gte, then the >> query builder generates "autoYear >= 1997," or if autoColor = ''blu'' and >> autoColorOp = ''bw'', then I''ll get "autoColor LIKE ''blu%''". >> >> I don''t see ActiveRecord having anything like that. Does it? >> >> If Rails has nothing built-in that''s fine, I can develop my own methods >> for this, I just don''t want to re-create existing features. >> > > ActiveRecord performs input sanitization with the :conditions option: > > Foo.find :all, :conditions => {:foo => params[:foo]} > Foo.find :all, :conditions => [''foo = ?'', params[:foo]]But "sanitization" = SQL & XSS injection type stuff. When I say parameter injection I mean the form is only supposed to have those four fields, but of course, a form can be edited before submitting, so someone can add parameters by adding to the form. I don''t see how Rails prevents those extra inputs from being added to params and therefore from being added to the query.> For more advanced conditions, see the Ambition or ez_where libraries: > > http://errtheblog.com/post/11998 > http://brainspl.at/articles/2006/01/30/i-have-been-busyNeither of these is quite what I am looking for. Thanks for the links though, each is close to some aspects of what I want, so I may be able to borrow/extend theirs. I''m not looking for more advanced conditions, I''m looking for something to build the query w/o having to define conditions by interpreting the form in more advanced ways on its own--at least for this certain genre of form-to-query queries. Thx. -- gw -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---