How to use strings as code

Ruby
1

In short, I’m looking for a way to grab a string from a database and use
it as code in my rails app. I understand the security implications, but
it’s still what I want to do (and I don’t know what other options I
have!).

I have an ecommerce site that I’m working on, and I want users to be
able to narrow search results using filters. The filters are set up in
the database so that each has a filter_key and filter_value. These are
added to a hash that then fetches items that meet the desired criteria.
Specifically, here’s what it looks like:

@active_filters.each_value do |a|
@filters[a.filter_key] = a.filter_value
end

@active_filters is a hash. @filters is used in the item lookup
elsewhere. In the database, one filter_key is “our_price” (also a
column in the items table), and the corresponding value is a range:
101…300. If I put the range into the code directly, the item lookup
contains a “WHERE items.our_price BETWEEN 101 AND 300” statement.
However, when the filter_value is returned, the statement is “WHERE
items.our_price = ‘101…300’”, obviously not what I’m looking for.

Does anybody have any suggestions for how to do this? …or what I
should be doing instead? I really appreciate. My first “real” rails
app has grown into a monster!

Thanks.

-Kyle

2

On 6/7/07, Kyle R. [email protected] wrote:

In short, I’m looking for a way to grab a string from a database and use it as code in my rails app. I understand the security implications, but it’s still what I want to do (and I don’t know what other options I have!).

it’s pretty easy, but I wouldn’t recommend doing it.

string = “p ‘hello world’”
eval(string)

I have an ecommerce site that I’m working on, and I want users to be able to narrow search results using filters. The filters are set up in the database so that each has a filter_key and filter_value. These are added to a hash that then fetches items that meet the desired criteria. Specifically, here’s what it looks like:

@active_filters.each_value do |a|
@filters[a.filter_key] = a.filter_value
end

@active_filters is a hash. @filters is used in the item lookup elsewhere. In the database, one filter_key is “our_price” (also a column in the items table), and the corresponding value is a range: 101…300. If I put the range into the code directly, the item lookup contains a “WHERE items.our_price BETWEEN 101 AND 300” statement. However, when the filter_value is returned, the statement is “WHERE items.our_price = ‘101…300’”, obviously not what I’m looking for.

Does anybody have any suggestions for how to do this? …or what I should be doing instead? I really appreciate. My first “real” rails app has grown into a monster!

This is a Rails question and probably would find a happier home on the
Rails list. In fact the answer I gave you above has literally nothing
to do with your question, because it’s not a Ruby eval you want but a
SQL eval. I still wouldn’t recommend using eval, though. What you
really want is a clearer understanding of how databases work in
general and how Rails builds SQL in particular.

Alternatively, both Duane J. and Jay Fields are building SQL DSLs
for Rails in Ruby, and either one of these could give you much less
stressful ways of building the SQL, if Rails’ SQL-building stresses
you out. But again this is totally a thing for the Rails list, you’re
in the wrong part of town for this kind of thing.


Giles B.

Blog: http://gilesbowkett.blogspot.com
Portfolio: http://www.gilesgoatboy.org

3

Hi –

On Fri, 8 Jun 2007, Robert K. wrote:

eval(string)
raise “Filter Error: #{filter}”
end
end

Another thought would be to store the ranges as non-code data, in
their own table – basically two integers per record – and then
construct the range dynamically (but just using regular range syntax,
without eval) from those values.

David

4

On 08.06.2007 02:36, Giles B. wrote:

On 6/7/07, Kyle R. [email protected] wrote:

In short, I’m looking for a way to grab a string from a database and
use it as code in my rails app. I understand the security
implications, but it’s still what I want to do (and I don’t know what
other options I have!).

it’s pretty easy, but I wouldn’t recommend doing it.

string = “p ‘hello world’”
eval(string)

To make it safer, he could do some checks to verify the filter is legal,
something like

def convert(filter)
case filter
when /\A\d+.{2,3}\d+\z/, /\A[±]?\d+\z/
eval filter

else
raise “Filter Error: #{filter}”
end
end

Kind regards

robert

5

Wow, I appreciate all of the quick responses! I asked here because I
figured converting a string into active code was more of a Ruby than a
Rails thing, but I see how it could have been better put to the Rails
lists.

Thanks again!

-Kyle