Advanced Search In Ruby on Rails


#1

Hi all,
I am doing with ruby on rail, now i am having a problem with advanced
search by using multiple checkboxs and multiple radio.when i submited,
it doesn’t show the result.so i hope all of you will be try and take the
time to do it for me by regard, thank in advance!

   sincerely
         khim

#2

Could you paste in some of your code? What example are you using?

Khim Sreang wrote:

Hi all,
I am doing with ruby on rail, now i am having a problem with advanced
search by using multiple checkboxs and multiple radio.when i submited,
it doesn’t show the result.so i hope all of you will be try and take the
time to do it for me by regard, thank in advance!

   sincerely
         khim

#3

heavy interface you got there. still, without your code nobody will be
able to tell you where you went wrong.


#4

<%= stylesheet_link_tag ‘dynamicStyling’ %>

You’re going have to trim this down a lot - people answer questions on
this list out of good will and for most people that doesn’t include
reading 500+ lines of code. I will say this: global variables yuck, I
hope all those * symbols aren’t actually in your code and you are
opening yourself to sql injection
Reduce your problem to a short example (you still haven’t said what it
is that isn’t working) and you might get some help

Fred


#5

With code like this:

def advanced_search
$elementspro = params[:elementprovince]
$elementstype = params[:elementstype]
$elementsequipment = params[:elementsequipment]
$elementdown = params[:elementdown]
$elementstatus = params[:elementstatus]
$elementapproval = params[:elementapproval]
$elementteam = params[:elementteam]
$elementstaffname = params[:elementstaffname]
$frm_view_setup = params[:frm_view_setup]
@tblpss_description_records = TblpssDescriptionRecord.paginate :page
=> params[:page], :conditions=>“province=’” + $elementspro + “’” + “or
type_of_job=’” + $elementstype + “’” +
“or equipment_part=’” + $elementsequipment + “’” + “or sitedown=’” +
$elementdown + “’” + “or job_status=’” + $elementstatus + “’” +
“or job_status=’” + $elementapproval + “’” + “or team_on_job=’” +
$elementteam + “’” + “or RecorderName=’” + $elementstaffname + “’”,
:order => ‘jobNo ASC’, :per_page => $per_page
end

you might as well post your database password in public. This is
dangerous code. It allows SQL injection.

It’s pretty clear you come from a PHP world. I suggest you read a few
books on Ruby programming, and google a bit for “rails sql injection.”
Your code is a security nightmare.


#6

=================advanced_search.rhtml=========================

<%= stylesheet_link_tag ‘dynamicStyling’ %>

<%

if params[:page]

page = params[:page]

*else
*

page = *1
*

*end
*

%>

  • Modify
  • History
  • Transfer
  • Reject
  • View Job Setup
  • PSS JOB DESCRIPTION - MODIFY

    <% if flash[:notice] %>

    <%=
    flash[:notice] %>
    <%
    end %>

    <% form_for :tblpss_description_record, @tblpss_description_record,
    *
    :url*=>{ :action=>‘view_detail_job_setup’ }, :html=>{ :id=>
    ‘frm_view_setup’, :name=>‘frm_view_setup’, :method => :get} do
    |f|%>

    TIME

    ALL

    TODAY

    ONE
    WEEK

    TWO
    WEEK

    THIS
    MONTH

    TWO
    MONTH

    THREE
    MONTH

    SIX
    MONTH

    PROVINCE

    UNCHECK

    ALL

    PHNOM PENH

    BANTEAY MEANCHEY

    BATTAMBANG

    KAMPONG CHAM

    KAMPONG CHHNANG

    KAMPONG SPEU

    KAMPONG THOM

    KAMPOT

    KANDAL

    KEP VILLE

    KOH KONG

    KRATIE

    MONDOL KIRI

    ODORMEANCHEY

    PAILIN

    PREAH VIHEAR

    PREY VENG

    PURSAT

    RATTANAKIRI

    SIEM REAP

    SIHANOUK VILLE

    STUNG SRENG

    SVAY RIENG

    <input type=“checkbox” name=“elementprovince” value=“TAKEO”
    id=“optPROVINCE”

    TAKEO

    TYPE OF JOB

    UNCHECK

    ALL

    PREVENTIVE

    CORRECTIVE

    INSTALLATION


    OTHER

    EQUIPMENT PART

    UNCHECK

    ALL

    ELECTRICITY

    GENERATOR

    RECTIFIER

    BATTERY

    AIR CONDITION

    OTHER

    DOWNTIME

    UNCHECK

    ALL

    YES

    NO

    STATUS

    UNCHECK

    ALL


    WORKING


    PENDING


    CLOSE


    REJECTED

    APPROVAL

    UNCHECK

    ALL

    APPROVED

    TEAM

    UNCHECK

    ALL

    TEAM 1

    TEAM 2

    TEAM 3

    TEAM 4

    OTHER

    STAFF NAME

    UNCHECK

    ALL

    CHANDARA

    <input type=“checkbox” name=“elementstaffname” value=“CHAMNAN”
    id=“optSTAFF”

    CHAMNAN


    CHENG

    <input type=“checkbox” name=“elementstaffname” value=“CHINVEY”
    id=“optSTAFF”

    CHINVEY


    CHHIM


    DANO

    DSOPHORN


    KOSAL


    KIMRIM


    HEAN


    MOASAM


    NADA


    RUMNEA

    <input type=“checkbox” name=“elementstaffname” value=“SOMANIN”
    id=“optSTAFF”

    SOMANIN


    SOPHY


    SOPHAL


    SOKHA


    SARIN


    SOKOUL

    <input type=“checkbox” name=“elementstaffname” value=“SAMNANG”
    id=“optSTAFF”

    SAMNANG

    <input type=“checkbox” name=“elementstaffname” value=“PHEARIT”
    id=“optSTAFF”

    PHEARIT


    VENG


    VANNAK

    YOULEANG

    <% end %>

    <a class=“cmd_submit clearfix”

    onClick=“get_check_value();”>

    SUBMIT

    <a class=“cmd_submit clearfix”

    onClick=“javascript:{}”>

    CANCEL
    ================end==================

    =============in advancedsearch Controller

    def* advanced_search

    $elementspro = params[:elementprovince]

    $elementstype = params[:elementstype]

    $elementsequipment = params[:elementsequipment]

    $elementdown = params[:elementdown]

    $elementstatus = params[:elementstatus]

    $elementapproval = params[:elementapproval]

    $elementteam = params[:elementteam]

    $elementstaffname = params[:elementstaffname]

    $frm_view_setup = params[:frm_view_setup]

    @tblpss_description_records = TblpssDescriptionRecord.paginate :page
    =>
    params[:page], :conditions=>“province=’” + $elementspro + “’” + “or
    type_of_job=’” + $elementstype + “’” +

    “or equipment_part=’” + $elementsequipment + “’” + “or sitedown=’” +
    $elementdown + “’” + “or job_status=’” + $elementstatus + “’” +

    “or job_status=’” + $elementapproval + “’” + “or team_on_job=’” +
    $elementteam + “’” + “or RecorderName=’” + $elementstaffname + “’”,
    :order=> ‘jobNo
    ASC’, :per_page => $per_page

    *end
    *


    #7

    On Mar 15, 8:46 am, Michael G. removed_email_address@domain.invalid wrote:

    $elementstaffname = params[:elementstaffname]

    you might as well post your database password in public. This is
    dangerous code. It allows SQL injection.

    It’s pretty clear you come from a PHP world. I suggest you read a few
    books on Ruby programming, and google a bit for “rails sql injection.”
    Your code is a security nightmare.

    ==============================

    Hi Mr. Michael G.

    thank a million for your advice.but I want to use ruby on rail
    because I just use it in LAN only,my advanced search is the same
    http://bitnami.org/advanced_search.they worked in ruby on rails too.I
    try the best to do like that but I still get fails.now i will show you
    abit with my code in controller

    def view_detail_job_setup
    if request.get?
    elementdowns = params[:elementdown]
    elementstatus = params[:elementstatus]
    @tblpss_description_records = []
    for elmdown in elementdowns
    case elmdown
    when “ALL”
    @tblpss_description_records =
    TblpssDescriptionRecord.paginate :page => params[:page], :order =>
    ‘jobNo ASC’, :per_page => $per_page
    break
    when “YES”
    @tblpss_description_records =
    TblpssDescriptionRecord.paginate :page => params
    [:page], :conditions=>“sitedown=’” + elmdown + “’”, :order => ‘jobNo
    ASC’, :per_page => $per_page
    break
    when “NO”
    @tblpss_description_records =
    TblpssDescriptionRecord.paginate :page => params
    [:page], :conditions=>“sitedown=’” + elmdown + “’”, :order => ‘jobNo
    ASC’, :per_page => $per_page
    break
    else
    @tblpss_description_records =
    TblpssDescriptionRecord.paginate :page => params
    [:page], :conditions=>“sitedown=‘YES’ and sitedown=‘NO’”, :order =>
    ‘jobNo ASC’, :per_page => $per_page
    break
    end
    end
    end
    end

    So can you give your advice to me more about it?

    thank in advance


    #8

    Please, please please

    use readable names for your variables or class names

    what does mean TblpssDescriptionRecord?

    I tried to rewrite it to help you but it’s really too ugly and really
    doesn’t mean nothing.

    STOP reassign your params vars, use:

    params[:elementdown].each do |element_down|

    end if params[:elementdown]

    and why do you repeat your find on each when?
    why not?

    conditions = case xxx
    when … then nil
    when … then [‘sitedown = ?’, element_down]
    end

    YourFuckingUnreadableModel.paginate(:conditions =>
    conditions, :per_page => per_page, :page => page)

    hu?

    You should learn coding before ruby or rails.


    #9

    You should really read basics about variable types in ruby.
    All your $… vars are globals. It’s not threadsafe and really hugly.

    You should really learn to give readable names to your vars

    (ex: params[:elements][:province]).

    Why

    $elementspro = params[:elementprovince]
    #…
    :conditions => “province=” + $elementspro

    instead of

    :conditions => “province=” + params[:elementprovince]

    ???. your code will be more readable and threadsafe

    Why

    :conditions => “province=” + $element

    instead of

    :conditions => [‘province = :elementprovince’, params]

    ??? your code will be more readable AND SAFE!!!

    I agree with Michael, you clearly come from php. Ruby is not php.
    First, there’s threads like in any other correct language and it means
    you have to handle with.
    Second, in rails, every good practice is often (always?!) simpler to
    use than bad practice. Every rails tutorial use good SQL practice, why
    not you?

    Even your html is ugly.

    • Instead of millions of checkboxes, use multiple lists
    • Don’t write your javascript in your html page
    • Don’t use divs (or anything else) out of body
    • Don’t declare body anywhere else than in your layouts
    • Don’t use logic in view (page = params[:page]) => will_paginate
      handle nil params[:page] for you
    • Use cool syntax like: page = params[:page] || 1
    • Don’t use table, unless for tabular data presentation (table is a
      table, not a visual tool)
    • Don’t use style propertie in html, use css in separated css file(s)

    NEVER USE GLOBAL VARS! it’s really rare when you can justify of their
    using.
    I think you’re clearly not ready to use mvc and oop, go read manuals.
    You just proved, another time, that most of php coders suck.