Asp Forum - How to use strings as code

Kyle Rabe

6/7/2007 10:49:00 PM

In short, I'm looking for a way to grab a string from a database and use it as code in my rails app. I understand the security implications, but it's still what I want to do (and I don't know what other options I have!).

I have an ecommerce site that I'm working on, and I want users to be able to narrow search results using filters. The filters are set up in the database so that each has a filter_key and filter_value. These are added to a hash that then fetches items that meet the desired criteria. Specifically, here's what it looks like:

@active_filters.each_value do |a|
@filters[a.filter_key] = a.filter_value
end

@active_filters is a hash. @filters is used in the item lookup elsewhere. In the database, one filter_key is "our_price" (also a column in the items table), and the corresponding value is a range: 101..300. If I put the range into the code directly, the item lookup contains a "WHERE items.`our_price` BETWEEN 101 AND 300" statement. However, when the filter_value is returned, the statement is "WHERE items.`our_price` = '101..300'", obviously not what I'm looking for.

Does anybody have any suggestions for how to do this? ...or what I should be doing instead? I really appreciate. My first "real" rails app has grown into a monster!

Thanks.

-Kyle

4 Answers

Giles Bowkett

6/8/2007 12:37:00 AM

On 6/7/07, Kyle Rabe <kyle.rabe@massstreetmusic.com> wrote:
> In short, I'm looking for a way to grab a string from a database and use it as code in my rails app. I understand the security implications, but it's still what I want to do (and I don't know what other options I have!).

it's pretty easy, but I wouldn't recommend doing it.

string = "p 'hello world'"
eval(string)

> I have an ecommerce site that I'm working on, and I want users to be able to narrow search results using filters. The filters are set up in the database so that each has a filter_key and filter_value. These are added to a hash that then fetches items that meet the desired criteria. Specifically, here's what it looks like:
>
> @active_filters.each_value do |a|
> @filters[a.filter_key] = a.filter_value
> end
>
> @active_filters is a hash. @filters is used in the item lookup elsewhere. In the database, one filter_key is "our_price" (also a column in the items table), and the corresponding value is a range: 101..300. If I put the range into the code directly, the item lookup contains a "WHERE items.`our_price` BETWEEN 101 AND 300" statement. However, when the filter_value is returned, the statement is "WHERE items.`our_price` = '101..300'", obviously not what I'm looking for.
>
> Does anybody have any suggestions for how to do this? ...or what I should be doing instead? I really appreciate. My first "real" rails app has grown into a monster!

This is a Rails question and probably would find a happier home on the
Rails list. In fact the answer I gave you above has literally nothing
to do with your question, because it's not a Ruby eval you want but a
SQL eval. I still wouldn't recommend using eval, though. What you
really want is a clearer understanding of how databases work in
general and how Rails builds SQL in particular.

Alternatively, both Duane Johnson and Jay Fields are building SQL DSLs
for Rails in Ruby, and either one of these could give you much less
stressful ways of building the SQL, if Rails' SQL-building stresses
you out. But again this is totally a thing for the Rails list, you're
in the wrong part of town for this kind of thing.

--
Giles Bowkett

Blog: http://gilesbowkett.bl...
Portfolio: http://www.gilesg...

Robert Klemme

6/8/2007 10:30:00 AM

On 08.06.2007 02:36, Giles Bowkett wrote:
> On 6/7/07, Kyle Rabe <kyle.rabe@massstreetmusic.com> wrote:
>> In short, I'm looking for a way to grab a string from a database and
>> use it as code in my rails app. I understand the security
>> implications, but it's still what I want to do (and I don't know what
>> other options I have!).
>
> it's pretty easy, but I wouldn't recommend doing it.
>
> string = "p 'hello world'"
> eval(string)

To make it safer, he could do some checks to verify the filter is legal,
something like

def convert(filter)
case filter
when /\A\d+\.{2,3}\d+\z/, /\A[+-]?\d+\z/
eval filter
...
else
raise "Filter Error: #{filter}"
end
end

Kind regards

robert

dblack

6/8/2007 11:26:00 AM

Kyle Rabe

6/8/2007 2:45:00 PM

Wow, I appreciate all of the quick responses! I asked here because I figured converting a string into active code was more of a Ruby than a Rails thing, but I see how it could have been better put to the Rails lists.

Thanks again!

-Kyle

On Fri, 8 Jun 2007 20:25:53 +0900, dblack@wobblini.net wrote:
> Hi --
>
> On Fri, 8 Jun 2007, Robert Klemme wrote:
>
>> On 08.06.2007 02:36, Giles Bowkett wrote:
>>> On 6/7/07, Kyle Rabe <kyle.rabe@massstreetmusic.com> wrote:
>>>> In short, I'm looking for a way to grab a string from a database and
> use
>>>> it as code in my rails app. I understand the security implications,
> but
>>>> it's still what I want to do (and I don't know what other options I
>>>> have!).
>>>
>>> it's pretty easy, but I wouldn't recommend doing it.
>>>
>>> string = "p 'hello world'"
>>> eval(string)
>>
>> To make it safer, he could do some checks to verify the filter is legal,
>> something like
>>
>> def convert(filter)
>> case filter
>> when /\A\d+\.{2,3}\d+\z/, /\A[+-]?\d+\z/
>> eval filter
>> ...
>> else
>> raise "Filter Error: #{filter}"
>> end
>> end
>
> Another thought would be to store the ranges as non-code data, in
> their own table -- basically two integers per record -- and then
> construct the range dynamically (but just using regular range syntax,
> without eval) from those values.
>
>
> David
>
> --
> Q. What is THE Ruby book for Rails developers?
> A. RUBY FOR RAILS by David A. Black (http://www.manning...)
> (See what readers are saying! http://www.r.../r...)
> Q. Where can I get Ruby/Rails on-site training, consulting, coaching?
> A. Ruby Power and Light, LLC (http://www.r...)

comp.lang.ruby

How to use strings as code

Kyle Rabe

Giles Bowkett

Robert Klemme

dblack

Kyle Rabe

x Login to ForumsZone