ansaurus

Question

Is it possible to have variable find conditions for both the key and value?

Answer 1

+3 A:

If you want to convert a string to symbol(which is what params[:key] produces, all you need to do is

params[:key].to_s.to_sym

2 points:

A word of caution : symbols are not garbage collected.
Make sure your key is not a number, if you convert to_s first then to_sym, your code will work but you may get a wierd symbol like this:

:"5"

Nick Gorbikoff 2010-04-21 15:52:17

Thanks Nick. I'm afraid I asked the wrong question perhaps. @employee = Employee.find(:all, :conditions => [ '? = ?', params[:key].to_s.to_sym, params[:value].to_i)Produces the following SQL output:SELECT * FROM `employees` WHERE ('--- :is_manager\n' = 1)I think I must have a error in my logic rather than syntax. I could do a case statement where I check what the params[:key] is and do the appropriate find (in this case it would be [:is_manager = ?, params[:value].to_i]). But I was hoping to be a bit more dynamic and not have to redo each case individually.

DarrenD 2010-04-21 16:08:38

I kind of answered what you asked, not what you meant :-) I'm not sure what you ask for is possible or most importantly - desired, at least not according to rails spec http://api.rubyonrails.org/classes/ActiveRecord/Base.html . The problem is that it's a potential big security hole. Assume this is an HR application: what if somebody will pass for a key = salary. Then they can potentially pull salary info or ssn info for any person. I mean sure you could put all sort of role-based security, but that would defeat the purpose of saving you time you would spent writing out your case statement.

Nick Gorbikoff 2010-04-21 16:35:14

Gotcha. The key is coming from a select box, so I'm only accepting specific values (plus I'm authenticating as this is an 'admin' tool). But I hear ya. Case statement it is :)

DarrenD 2010-04-21 16:42:09

Answer 2

+1 A:

"string".to_sym

kingjeffrey 2010-04-21 15:52:35

Answer 3

+1 A:

You could use variable substitution for column name instead of using bind values:

# make sure the key passed is a valid column
if Employee.columns_hash[params[:key]]
  Employee.all :conditions => [ "#{params[:key]} = ?", params[:value]]
end

You can further secure the solution by ensuring column name passed belongs to a pre selected set.:

if ["first_name", "last_name"].include? [params[:key]]
  Employee.all :conditions => [ "#{params[:key]} = ?", params[:value]]
end

KandadaBoggu 2010-04-21 18:00:26

Fixed the syntax error in the code.

KandadaBoggu 2010-04-21 19:44:48

I still think it's a bad idea from a security standpoint.

Nick Gorbikoff 2010-04-21 23:32:01

This is a generic solution. User can have a valid keys hash and use that for validation (instead of columns_hash). His original issue is due to the fact the col name was substituted using the bind variables and rails surrounded the col names with quotes. This will not be addressed by passing a symbol (instead of string) for col name parameter. I added `columns_hash` validation as a guide line for adding a check to limit the column names to a known set. That should the security issue.

KandadaBoggu 2010-04-22 00:05:21

ansaurus

tags:

views:

answers:

Is it possible to have variable find conditions for both the key and value?

related questions