Is there a reason NOT to sort a list using a session variable as in this
function?
--CONTROLLER--
def list
sort_by = params[:sort_by]
if session[:sort_by] == sort_by
sort_by += '' desc''
end
session[:sort_by] = sort_by
@book_pages, @books = paginate :books, :order => sort_by, :per_page
=> 10
end
--VIEW--
<tr>
<th><a
href="?sort_by=publisher_id">Publisher</a></th>
<th><a
href="?sort_by=title">Title</a></th>
<th><a href="?sort_by=isbn">ISBN</a></th>
<th colspan="3"></th>
</tr>
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
Yup. SQL injection. params[:sort_by] could contain an SQL fragment. Vish On 12/4/06, Taylor Strait <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > Is there a reason NOT to sort a list using a session variable as in this > function? > > --CONTROLLER-- > def list > sort_by = params[:sort_by] > if session[:sort_by] == sort_by > sort_by += '' desc'' > end > session[:sort_by] = sort_by > @book_pages, @books = paginate :books, :order => sort_by, :per_page > => 10 > end > > --VIEW-- > <tr> > <th><a href="?sort_by=publisher_id">Publisher</a></th> > <th><a href="?sort_by=title">Title</a></th> > <th><a href="?sort_by=isbn">ISBN</a></th> > <th colspan="3"></th> > </tr> > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hmmm. Point taken. Any suggestions on preventing SQL injection? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Whew! That is dangerous! One SQL comment line and that schema is toast! http://localhost:3001/admin/book/list?sort_by=title;%20drop%20table returns: ActiveRecord::StatementInvalid in Admin/bookController#list Mysql::Error: #42000You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''; drop table LIMIT 0, 10'' at line 1: SELECT * FROM books ORDER BY title; drop table LIMIT 0, 10 So is there some way to sanitize the parameter or do I need to add a whole new layer of abstraction? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
This thread helped:
http://www.ruby-forum.com/topic/82349#143790
However, I haven''t been able to splice SQL-escaping syntax into the
:order => clause in ''paginate.'' The API docs are of no
help. A few
failures:
@books = paginate :books,
:order => "#{sort_by}",
:per_page => 10
> Does nothing.
@books = paginate :books,
:order => [":sort_by_criteria", sort_by_criteria
=>
sort_by}],
:per_page => 10
> Doesn''t replace the value and tries to order by literally
":sort_by_criteria"
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
@books = paginate :books, :order => [''?'', sort_by], :per_page => 10 ? Vish On 12/4/06, Taylor Strait <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > This thread helped: > > http://www.ruby-forum.com/topic/82349#143790 > > > However, I haven''t been able to splice SQL-escaping syntax into the > :order => clause in ''paginate.'' The API docs are of no help. A few > failures: > > @books = paginate :books, > :order => "#{sort_by}", > :per_page => 10 > > > Does nothing. > > @books = paginate :books, > :order => [":sort_by_criteria", sort_by_criteria => > sort_by}], > :per_page => 10 > > > Doesn''t replace the value and tries to order by literally > ":sort_by_criteria" > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Vishnu Gopal wrote:> @books = paginate :books, :order => [''?'', sort_by], :per_page => 10 ?We''re getting closer:> @book_pages, @books = paginate :books,:order => [''?'', sort_by], :per_page => 10 returns:> SELECT * FROM books ORDER BY ?isbn LIMIT 0, 10 (sort_by = ''isbn'')For some reason it is appending the ''?'' onto sort_by. "" doesn''t work either. Here is the whole function in case I missed something: def list sort_by = params[:sort_by] unless session[:sort_by].nil? if session[:sort_by] == sort_by sort_by += '' desc'' end end session[:sort_by] = sort_by @book_pages, @books = paginate :books, :order => [''?'', sort_by], :per_page => 10 end -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hmm weird. Try a space after the ?, as in "? ". Vish On 12/4/06, Taylor Strait <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > Vishnu Gopal wrote: > > @books = paginate :books, :order => [''?'', sort_by], :per_page => 10 ? > > We''re getting closer: > > > @book_pages, @books = paginate :books, > :order => [''?'', sort_by], > :per_page => 10 > > returns: > > > SELECT * FROM books ORDER BY ?isbn LIMIT 0, 10 (sort_by = ''isbn'') > > > For some reason it is appending the ''?'' onto sort_by. "" doesn''t work > either. Here is the whole function in case I missed something: > > def list > sort_by = params[:sort_by] > unless session[:sort_by].nil? > if session[:sort_by] == sort_by > sort_by += '' desc'' > end > end > session[:sort_by] = sort_by > @book_pages, @books = paginate :books, > :order => [''?'', sort_by], > :per_page => 10 > end > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
>Vishnu Gopal wrote: > Hmm weird. Try a space after the ?, as in "? ".That returns the same error:> SELECT * FROM books ORDER BY ? isbn LIMIT 0, 10I can''t believe this paginate issue hasn''t been covered somewhere! My searches only revealed that one thread posted above. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
What about "? DESC" or "? ASC" ? Trial and error (and script/console) is a good friend :-) Sadly I don''t have irb right now. Vish On 12/4/06, Taylor Strait <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > >Vishnu Gopal wrote: > > Hmm weird. Try a space after the ?, as in "? ". > > That returns the same error: > > > SELECT * FROM books ORDER BY ? isbn LIMIT 0, 10 > > I can''t believe this paginate issue hasn''t been covered somewhere! My > searches only revealed that one thread posted above. > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Vishnu Gopal wrote:> What about "? DESC" or "? ASC" ? Trial and error (and script/console) is a > good friend :-) Sadly I don''t have irb right now. > > Vish > > On 12/4/06, Taylor Strait <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: > > > > > > >Vishnu Gopal wrote: > > > Hmm weird. Try a space after the ?, as in "? ". > > > > That returns the same error: > > > > > SELECT * FROM books ORDER BY ? isbn LIMIT 0, 10 > > > > I can''t believe this paginate issue hasn''t been covered somewhere! My > > searches only revealed that one thread posted above. > > > > -- > > Posted via http://www.ruby-forum.com/. > > > > > > > > > ------=_Part_45211_14470071.1165240866527 > Content-Type: text/html; charset=ISO-8859-1 > X-Google-AttachSize: 982 > > What about "? DESC" or "? ASC" ? Trial and error (and script/console) is a good friend :-) Sadly I don''t have irb right now.<br><br>Vish<br><br><div><span class="gmail_quote">On 12/4/06, <b class="gmail_sendername"> > Taylor Strait</b> <<a href="mailto:rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org">rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> > <br>>Vishnu Gopal wrote:<br>> Hmm weird. Try a space after the ?, as in "? ".<br><br>That returns the same error:<br><br>> SELECT * FROM books ORDER BY ? isbn LIMIT 0, 10<br><br>I can''t believe this paginate issue hasn''t been covered somewhere! My > <br>searches only revealed that one thread posted above.<br><br>--<br>Posted via <a href="http://www.ruby-forum.com/">http://www.ruby-forum.com/</a>.<br><br><br><br></blockquote></div><br> > > ------=_Part_45211_14470071.1165240866527--My preferred method for doing this is to pass a hash key in the sort parameter like... /object/action?sort=name_up Then I do a lookup in the action... sort = { ''name_up'' => ''name ASC'', ''name_down'' =>''name DESC'' } Object.find(:all, :order=>sort[params[:sort]]) This way you don''t have to worry about SQL injections and you can make complicated sort orders. _Kevin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---