I want to retrieve objects based on two attributes - pay_period and user. I have no problem with this if an exact pay_period and user are selected. However, I want "All" to be an option for the two fields and I don''t know how to get my code to accept "All" as an option and then act appropriately. Any help would be appreciated. This is the code I have right now... controller: @sessions = Session.find_all_for_user(current_user.id, params[:pay_period]) model: def self.find_all_for_user(user, pay_period) find(:all, :conditions => "user_id = #{user} AND pay_period_id #{pay_period}") end --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Wouldn''t a user have many pay periods? @user.pay_periods --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I think you may be misunderstanding. I''m looking up Session objects that have the attribute "user" and "pay_period" On Jan 6, 11:40 pm, "Ryan Bigg" <radarliste...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Wouldn''t a user have many pay periods? > > @user.pay_periods--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ok in that case: Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) is already built into Rails. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ryan Bigg wrote:> Ok in that case: > > Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) is > already built into Rails.Ryan, I read your comment and I thought it was funny at first because I thought you were playing around and then I realized how amazing Rails is because I''m guessing the code above probably works. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Indeed it''s part of the "awesomeness" of Rails. It''ll let you do a find_by_field_1_and_field_2, but bad luck to you if one of your fields contains the word "and" or "or". --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
But is there a way to pass something like ":all" into one of the parameters? Or would I just have to use a different method - if user_id = "all"; Session.find_all_by_pay_period_id(pay_period_id) ? On Jan 6, 11:57 pm, "Ryan Bigg" <radarliste...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Ok in that case: > > Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) is > already built into Rails.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
omaraliqureshi-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org
2008-Jan-07 14:34 UTC
Re: asking for help with a database lookup
condition = true? Session.find_all_by_user_id_and_pay_period_id(true,pay_period_id) ? note: untested On Jan 7, 2:15 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> But is there a way to pass something like ":all" into one of the > parameters? Or would I just have to use a different method - if > user_id = "all"; Session.find_all_by_pay_period_id(pay_period_id) ? > > On Jan 6, 11:57 pm, "Ryan Bigg" <radarliste...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > Ok in that case: > > > Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) is > > already built into Rails.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
omaraliqureshi-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org
2008-Jan-07 14:37 UTC
Re: asking for help with a database lookup
Guess that doesn''t work, you could make a self method which takes the two parameters and checks for string "all" On Jan 7, 2:34 pm, "omaraliqure...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org" <omaraliqure...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> condition = true? > > Session.find_all_by_user_id_and_pay_period_id(true,pay_period_id) ? > > note: untested > > On Jan 7, 2:15 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > But is there a way to pass something like ":all" into one of the > > parameters? Or would I just have to use a different method - if > > user_id = "all"; Session.find_all_by_pay_period_id(pay_period_id) ? > > > On Jan 6, 11:57 pm, "Ryan Bigg" <radarliste...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > Ok in that case: > > > > Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) is > > > already built into Rails.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 6, 8:33 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> def self.find_all_for_user(user, pay_period) > find(:all, :conditions => "user_id = #{user} AND pay_period_id => #{pay_period}") > endIf "all" is chosen for a parameter, how about substituting its column name instead of the value? Something like :conditions => "user_id = #{@all_users ? ''user_id'' : user_id} --etc So that if @all_users was true, you''d end up with :conditions => "user_id = user_id" which would give you all users. Just an idea. ///ark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mark - that seems to work. Thank you. However, after Ryan Bigg posted the helper, Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) I''m curious as to whether this can be tweaked to accept "All" for one or both of the parameters. On Jan 7, 1:46 pm, Mark Wilden <m...-OCn100epQuBBDgjK7y7TUQ@public.gmane.org> wrote:> On Jan 6, 8:33 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > def self.find_all_for_user(user, pay_period) > > find(:all, :conditions => "user_id = #{user} AND pay_period_id => #{pay_period}") > > end > > If "all" is chosen for a parameter, how about substituting its column > name instead of the value? Something like > > :conditions => "user_id = #{@all_users ? ''user_id'' : user_id} --etc > > So that if @all_users was true, you''d end up with > > :conditions => "user_id = user_id" > > which would give you all users. > > Just an idea. > > ///ark--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 7, 10:58 am, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> However, after Ryan Bigg posted the helper, > Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) > I''m curious as to whether this can be tweaked to accept "All" for one > or both of the parameters.That method is dynamically generated by Rails, so there''s nowhere to tweak it. Rails has no builtin support for your query. Just create your own method in the model, named what you like, using the code I posted or something like it. Any trouble - just ask away. ///ark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Got it, thank you! On Jan 7, 3:08 pm, Mark Wilden <m...-OCn100epQuBBDgjK7y7TUQ@public.gmane.org> wrote:> On Jan 7, 10:58 am, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > However, after Ryan Bigg posted the helper, > > Session.find_all_by_user_id_and_pay_period_id(user_id,pay_period_id) > > I''m curious as to whether this can be tweaked to accept "All" for one > > or both of the parameters. > > That method is dynamically generated by Rails, so there''s nowhere to > tweak it. Rails has no builtin support for your query. > > Just create your own method in the model, named what you like, using > the code I posted or something like it. Any trouble - just ask away. > > ///ark--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 6, 10:33 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I want to retrieve objects based on two attributes - pay_period and > user. I have no problem with this if an exact pay_period and user are > selected. However, I want "All" to be an option for the two fields and > I don''t know how to get my code to accept "All" as an option and then > act appropriately. Any help would be appreciated. >I prefer to use the empty string for this purpose rather than an arbitrary magic value like "All". Then you don''t have to worry about someone having the user id ''all''. In the view: <select><option value="">All</option>...</select> Then: # Find sessions by user id and pay period. # +user+: user id, or blank for all users # +pay_period+: pay period, or blank for all pay periods define self.find_all_for_user(user, pay_period) conditions = [[]] unless user.blank? conditions.push[user] conditions.first << ''user_id = '' end unless pay_period.blank? conditions.push[pay_period] conditions.first << ''pay_period_id = '' end end conditions.first = conditions.first.join('' AND '') Session.find(:all, :conditions => conditions)> This is the code I have right now... > controller: > @sessions = Session.find_all_for_user(current_user.id, > params[:pay_period]) > > model: > def self.find_all_for_user(user, pay_period) > find(:all, :conditions => "user_id = #{user} AND pay_period_id > #{pay_period}")Be careful. This code is vulnerable to SQL injection attacks. Most people prefer this: find(:all, :conditions => [ ''user_id = ? AND pay_period_id = ?'', user, pay_period_id ])> end--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Ahh great. However, what makes find(:all, :conditions => "user_id = #{user} AND pay_period_id #{pay_period}") vulnerable to SQL injection attacks? Especially since it''s in the model. On Jan 7, 8:56 pm, kevin cline <kevin.cl...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Jan 6, 10:33 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > I want to retrieve objects based on two attributes - pay_period and > > user. I have no problem with this if an exact pay_period and user are > > selected. However, I want "All" to be an option for the two fields and > > I don''t know how to get my code to accept "All" as an option and then > > act appropriately. Any help would be appreciated. > > I prefer to use the empty string for this purpose rather than an > arbitrary magic value like "All". Then > you don''t have to worry about someone having the user id ''all''. > > In the view: > > <select><option value="">All</option>...</select> > > Then: > > # Find sessions by user id and pay period. > # +user+: user id, or blank for all users > # +pay_period+: pay period, or blank for all pay periods > > define self.find_all_for_user(user, pay_period) > conditions = [[]] > > unless user.blank? > conditions.push[user] > conditions.first << ''user_id = '' > end > > unless pay_period.blank? > conditions.push[pay_period] > conditions.first << ''pay_period_id = '' > end > end > > conditions.first = conditions.first.join('' AND '') > > Session.find(:all, :conditions => conditions) > > > This is the code I have right now... > > controller: > > @sessions = Session.find_all_for_user(current_user.id, > > params[:pay_period]) > > > model: > > def self.find_all_for_user(user, pay_period) > > find(:all, :conditions => "user_id = #{user} AND pay_period_id > > #{pay_period}") > > Be careful. This code is vulnerable to SQL injection attacks. Most > people prefer this: > > find(:all, :conditions => [ ''user_id = ? AND pay_period_id = ?'', > user, pay_period_id ]) > > > end--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
eggman2001 wrote:> Ahh great. > > However, what makes > find(:all, :conditions => "user_id = #{user} AND pay_period_id > #{pay_period}") > vulnerable to SQL injection attacks? Especially since it''s in the > model.It could be perfectly safe, but it''s potentially susceptible to someone entering malicious content that would cause your SQL query to do something bad. It''s a good practice to use the ? value replacement. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
For details, see AWDWR 2nd Ed page 600 .. 604 Jeremy Weiskotten wrote:> eggman2001 wrote: >> Ahh great. >> >> However, what makes >> find(:all, :conditions => "user_id = #{user} AND pay_period_id >> #{pay_period}") >> vulnerable to SQL injection attacks? Especially since it''s in the >> model. > > It could be perfectly safe, but it''s potentially susceptible to someone > entering malicious content that would cause your SQL query to do > something bad. It''s a good practice to use the ? value replacement.-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 7, 5:56 pm, kevin cline <kevin.cl...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > model: > > def self.find_all_for_user(user, pay_period) > > find(:all, :conditions => "user_id = #{user} AND pay_period_id > > #{pay_period}") > > Be careful. This code is vulnerable to SQL injection attacks.If that code is vulnerable to SQL injection, then that project has some very major problems! :) ///ark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Well, it doesn''t seem like there''s that much code to change to go from the insecure to secure method. On Jan 10, 8:22 pm, Mark Wilden <m...-OCn100epQuBBDgjK7y7TUQ@public.gmane.org> wrote:> On Jan 7, 5:56 pm, kevin cline <kevin.cl...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > model: > > > def self.find_all_for_user(user, pay_period) > > > find(:all, :conditions => "user_id = #{user} AND pay_period_id > > > #{pay_period}") > > > Be careful. This code is vulnerable to SQL injection attacks. > > If that code is vulnerable to SQL injection, then that project has > some very major problems! :) > > ///ark--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jan 10, 5:30 pm, eggman2001 <sod...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Well, it doesn''t seem like there''s that much code to change to go from > the insecure to secure method.There isn''t. And I would also use substitution just out of habit, if nothing else. I was just pointing out that the particular code in question could not reasonably have permitted an injection attack. ///ark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---