Greg Hauptmann
2008-Aug-21 01:52 UTC
Can anyone recommend a safe way/strategy to input some search conditions via URL parameters?
Hi,
Question - Can anyone recommend a safe way/strategy to input some
search conditions via URL parameters? So the requirements are:
[1] Only use URL parameters (e.g. key & value pair, where value is a string)
[2] At the server side convert these to a query string (i.e. the WHERE
clause in a SQL select statement)
[3] Need to "scrub" the inputs to avoid SQL injection
[4] Want to support more than basic column_name = value, so I need
also (here column_name would be the key):
(a) column_name = true/false [for boolean]
(b) NOT support - i.e. column_name != value
(c) IS NOT NULL support, i.e. column_name IS NOT NULL
(d) Range, i.e. column_name IS BETWEEN value1 AND value2
(e) Some permutations of these, e.g. column name != true (so NOT
and a boolean)
Any suggestions? Anything I''m missing that solves this in Rails or
ActiveScaffold?
Background: The background is I''m using the ActiveScaffold (
http://activescaffold.com/) out of the box views. It has a server
side "conditions_from_params" that is supported & it passes the
URL
parameters around well (e.g. then sorting buttons at columns continues
to work even through you''ve filtered down the list of rows).
Here''s
an extract of how I started to add some support to this for "range"
and "boolean", however I agree it''s messy. I''m just
looking for a
better way to do the below, plus then add on the other above-mentioned
support I have. Obviously I could just pass the exact parameters I
want for the WHERE clause in a query however then I assume there would
be SQL injection potential issues...
# Builds search conditions by search params for column names. This
allows urls like "contacts/list?company_id=5".
def conditions_from_params
conditions = nil
params.reject {|key, value| [:controller, :action,
:id].include?(key.to_sym)}.each do |key, value|
next unless
active_scaffold_config.model.column_names.include?(key) # reject
keys that don''t match table column in database
if value.match(".*[.][.].*")
# Range was specified
elements = value.split(''..'')
conditions = merge_conditions(conditions,
["#{active_scaffold_config.model.table_name}.#{key.to_s} BETWEEN
''#{elements[0]}'' AND ''#{elements[1]}''
"])
else
# No range
if ( value.upcase == "TRUE" || value.upcase ==
"FALSE")
# Boolean
conditions = merge_conditions(conditions,
["#{active_scaffold_config.model.table_name}.#{key.to_s} = ?",
value.upcase == "TRUE" ? true : false])
else
# Non Boolean
conditions = merge_conditions(conditions,
["#{active_scaffold_config.model.table_name}.#{key.to_s} = ?", value])
end
end
end
conditions
end
Thanks
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---