How to use strings as code

[Kyle Rabe]

In short, I'm looking for a way to grab a string from a database and use it as code in my rails app. I understand the security implications, but it's still what I want to do (and I don't know what other options I have!).

I have an ecommerce site that I'm working on, and I want users to be able to narrow search results using filters. The filters are set up in the database so that each has a filter_key and filter_value. These are added to a hash that then fetches items that meet the desired criteria. Specifically, here's what it looks like:

@active_filters.each_value do |a|
@filters[a.filter_key] = a.filter_value
end

@active_filters is a hash. @filters is used in the item lookup elsewhere. In the database, one filter_key is "our_price" (also a column in the items table), and the corresponding value is a range: 101..300. If I put the range into the code directly, the item lookup contains a "WHERE items.`our_price` BETWEEN 101 AND 300" statement. However, when the filter_value is returned, the statement is "WHERE items.`our_price` = '101..300'", obviously not what I'm looking for.

Does anybody have any suggestions for how to do this? ...or what I should be doing instead? I really appreciate. My first "real" rails app has grown into a monster!

Thanks.

-Kyle

 

[Giles Bowkett]

In short, I'm looking for a way to grab a string from a database and use it as code in my rails app. I understand the security implications, but it's still what I want to do (and I don't know what other options I have!).

it's pretty easy, but I wouldn't recommend doing it.

string = "p 'hello world'"
eval(string)

I have an ecommerce site that I'm working on, and I want users to be able to narrow search results using filters. The filters are set up in the database so that each has a filter_key and filter_value. These are added to a hash that then fetches items that meet the desired criteria. Specifically, here's what it looks like:

@active_filters.each_value do |a|
@filters[a.filter_key] = a.filter_value
end

@active_filters is a hash. @filters is used in the item lookup elsewhere. In the database, one filter_key is "our_price" (also a column in the items table), and the corresponding value is a range: 101..300. If I put the range into the code directly, the item lookup contains a "WHERE items.`our_price` BETWEEN 101 AND 300" statement. However, when the filter_value is returned, the statement is "WHERE items.`our_price` = '101..300'", obviously not what I'm looking for.

Does anybody have any suggestions for how to do this? ...or what I should be doing instead? I really appreciate. My first "real" rails app has grown into a monster!

This is a Rails question and probably would find a happier home on the
Rails list. In fact the answer I gave you above has literally nothing
to do with your question, because it's not a Ruby eval you want but a
SQL eval. I still wouldn't recommend using eval, though. What you
really want is a clearer understanding of how databases work in
general and how Rails builds SQL in particular.

Alternatively, both Duane Johnson and Jay Fields are building SQL DSLs
for Rails in Ruby, and either one of these could give you much less
stressful ways of building the SQL, if Rails' SQL-building stresses
you out. But again this is totally a thing for the Rails list, you're
in the wrong part of town for this kind of thing.

 

[Robert Klemme]

it's pretty easy, but I wouldn't recommend doing it.

string = "p 'hello world'"
eval(string)

To make it safer, he could do some checks to verify the filter is legal,
something like

def convert(filter)
case filter
when /\A\d+\.{2,3}\d+\z/, /\A[+-]?\d+\z/
eval filter
...
else
raise "Filter Error: #{filter}"
end
end

Kind regards

robert

 

[dblack]

Hi --

it's pretty easy, but I wouldn't recommend doing it.

string = "p 'hello world'"
eval(string)

To make it safer, he could do some checks to verify the filter is legal,
something like

def convert(filter)
case filter
when /\A\d+\.{2,3}\d+\z/, /\A[+-]?\d+\z/
eval filter
...
else
raise "Filter Error: #{filter}"
end
end

Another thought would be to store the ranges as non-code data, in
their own table -- basically two integers per record -- and then
construct the range dynamically (but just using regular range syntax,
without eval) from those values.


David

--
Q. What is THE Ruby book for Rails developers?
A. RUBY FOR RAILS by David A. Black (http://www.manning.com/black)
(See what readers are saying! http://www.rubypal.com/r4rrevs.pdf)
Q. Where can I get Ruby/Rails on-site training, consulting, coaching?
A. Ruby Power and Light, LLC (http://www.rubypal.com)

 

[Kyle Rabe]

Wow, I appreciate all of the quick responses! I asked here because I figured converting a string into active code was more of a Ruby than a Rails thing, but I see how it could have been better put to the Rails lists.

Thanks again!

-Kyle

Hi --

In short, I'm looking for a way to grab a string from a database and use
it as code in my rails app. I understand the security implications, but
it's still what I want to do (and I don't know what other options I
have!).

it's pretty easy, but I wouldn't recommend doing it.

string = "p 'hello world'"
eval(string)

To make it safer, he could do some checks to verify the filter is legal,
something like

def convert(filter)
case filter
when /\A\d+\.{2,3}\d+\z/, /\A[+-]?\d+\z/
eval filter
...
else
raise "Filter Error: #{filter}"
end
end

Another thought would be to store the ranges as non-code data, in
their own table -- basically two integers per record -- and then
construct the range dynamically (but just using regular range syntax,
without eval) from those values.


David

--
Q. What is THE Ruby book for Rails developers?
A. RUBY FOR RAILS by David A. Black (http://www.manning.com/black)
(See what readers are saying! http://www.rubypal.com/r4rrevs.pdf)
Q. Where can I get Ruby/Rails on-site training, consulting, coaching?
A. Ruby Power and Light, LLC (http://www.rubypal.com)