Security concerns aside, if I want to let the user write Rails code to
my MySql database (e.g. <%= "Hello world %>, and the application would
then parse the code, would that be possible?
On Sat, 6 Oct 2007 20:59:27 +0200, Bob S. wrote:
Security concerns aside, if I want to let the user write Rails code to
my MySql database (e.g. <%= "Hello world %>, and the application would
then parse the code, would that be possible?
Sure:
class MyModel < ActiveRecord::Base
def do_something_dangerous
eval self.a_text_field_containing_ruby_code
end
end
–
Jay L. |
Boston, MA | My character doesn’t like it when they
Faster: jay at jay dot fm | cry or shout or hit.
http://www.jay.fm | - Kristoffer
Thanks a bunch, Jay! That was fast
Hi Jody!
That was what I thought might work too Thanks for the great advice. I
actually just installed the liquid plugin before I saw your post, and
I’ll look into Mephisto.
Thanks a bunch again for the fabulous advice, Jody.
…and I can’t believe I just spelled your name incorrectly, Jodi
Bob -
On 6-Oct-07, at 3:15 PM, Bob S. wrote:
Hi Jody!
That was what I thought might work too Thanks for the great
advice. I
actually just installed the liquid plugin before I saw your post, and
I’ll look into Mephisto.
After writing I realized that depending on your needs there might be
another option - I’m looking at this option right now.
If you’re not doing templating, FFSB[1] (_why’s FreakyFreaky Sandbox)
might be an option.
Fully ruby sandboxed syntax - not geared to templates though. The
syntax is much sweeter though - the ruby we love - I’ve found liquid
syntax to be a bit paintful but certainly a good solution for end
user templating.
Unfortunately there hasn’t been a commit to FFSB since late 2006.
I’ve presently asked _why the status - no response yet.
(and np on the spelling. common mistake. Mom was a hippy who loved
boys with girls names err spellings)
Howdy Bob -
On 6-Oct-07, at 2:59 PM, Bob S. wrote:
Security concerns aside, if I want to let the user write Rails code to
my MySql database (e.g. <%= "Hello world %>, and the application would
then parse the code, would that be possible?
(warning "not what you asked, but imo a better solution to user
generated content)
I have implemented such a feature for email templates using the
liquid templating engine.
You can benefit from flow control, operators and sandboxing.
Good resources are:
http://mephistoblog.com/ (look at the mephisto source for
implementation)
providing a context to liquid is the toughest part; not so tough -
just need to explicitly tell liquid what objects, attributes
associations are avail.
Let me know if a bit of code can help you move forward.
cheers,
Jodi