Forum: Ruby on Rails running a ruby expression stored in a database

361c07b798b8a59e133f69d6776539f9?d=identicon&s=25 naevity (Guest)
on 2009-01-16 17:32
(Received via mailing list)
Is this even possible? I've got a ruby expression stored in a
database, it's the code to run a plugin since I was having trouble
passing variables stored in the database.

When I try to call the code, it either outputs it as text, or doesn't
display it at all. It's supposed to generate an image and display it.

right now the code is stored in the database as:

<%= barcode TEST1234, :encoding_format => Gbarcode::BARCODE_128 %>

and in the View, I have this:

<%= code.upc %>    (where upc is the column name in the database)

When I do this, nothing outputs in the view, but if I view the source,
I can see the ruby expression.

If I change the code stored in the database to this:
barcode TEST1234, :encoding_format => Gbarcode::BARCODE_128

This just displays the code on the webpage, which I would expect it
to.

am I doing something wrong or is this not possible?
8fa0f5c2bf8ad238baa4e20cb0360ebd?d=identicon&s=25 Matt Harrison (iwasinnamuknow)
on 2009-01-16 18:06
(Received via mailing list)
naevity wrote:
>
> and in the View, I have this:
>
> <%= code.upc %>    (where upc is the column name in the database)

This will just render the contents of the column as text.

> When I do this, nothing outputs in the view, but if I view the source,
> I can see the ruby expression.
>
> If I change the code stored in the database to this:
> barcode TEST1234, :encoding_format => Gbarcode::BARCODE_128
>
> This just displays the code on the webpage, which I would expect it
> to.
>
> am I doing something wrong or is this not possible?

I think it is possible, but you will have to "eval" it somehow. I've not
done this in ruby before but you should be able to google it quite
easily.

HTH

Matt
A82ba1167f4d4a8d1de63820e576a87f?d=identicon&s=25 Robby Russell (Guest)
on 2009-01-16 18:38
(Received via mailing list)
On Fri, Jan 16, 2009 at 8:32 AM, naevity <jonathan.mulcahy@gmail.com>
wrote:
> <%= barcode TEST1234, :encoding_format => Gbarcode::BARCODE_128 %>
>
> This just displays the code on the webpage, which I would expect it
> to.
>
> am I doing something wrong or is this not possible?

This smells funny... so I wanted to ask for more information. How is
the ruby code going to be added into the database? Would users be
inputting ruby code somehow?

Robby

--
Robby Russell
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting w/Ruby on Rails

http://www.planetargon.com/
http://www.robbyonrails.com/
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]
26a81e5badb9e002ab9ed3542036e584?d=identicon&s=25 Michael Libby (Guest)
on 2009-01-16 19:19
(Received via mailing list)
On Fri, Jan 16, 2009 at 10:32 AM, naevity <jonathan.mulcahy@gmail.com>
wrote:
>
> Is this even possible? I've got a ruby expression stored in a
> database, it's the code to run a plugin since I was having trouble
> passing variables stored in the database.

In my opinion it would be better to solve the original problem you had
with the plugin and passing variables than to use dynamically executed
code as a workaround. From your snippets I'd guess the problem is you
are trying to save/pass a string like "Gbarcode::BARCODE_128" into the
plugin rather than the underlying value referred to by the constant
Gbarcode::BARCODE_128.

What did your original code look like?

> When I try to call the code, it either outputs it as text, or doesn't
> display it at all. It's supposed to generate an image and display it.
>
> right now the code is stored in the database as:
>
> <%= barcode TEST1234, :encoding_format => Gbarcode::BARCODE_128 %>

If you want to execute this as Ruby code, you need to remove the <%=
%> bits (so you're on the right track with that).

> and in the View, I have this:
>
> <%= code.upc %>    (where upc is the column name in the database)
>
> When I do this, nothing outputs in the view, but if I view the source,
> I can see the ruby expression.

<%=h code.upc %> will make it obvious why by preventing your view from
accidentally rendering invalid HTML to the page.

> If I change the code stored in the database to this:
> barcode TEST1234, :encoding_format => Gbarcode::BARCODE_128
>
> This just displays the code on the webpage, which I would expect it
> to.
>
> am I doing something wrong or is this not possible?

It is possible.

$ irb
irb(main):001:0> exp = "puts 'foo'"
=> "puts 'foo'"
irb(main):002:0> eval exp
foo

So in a view: <%= eval code.upc %>

*DANGER DANGER DANGER* you are running with scissors here. If an
attacker can get arbitrary code into your database, using eval like
this will execute that code in the context of your application.

You may want to read up on Kernel#eval, Object#instance_eval, and the
other forms of eval in Ruby, they're a lot of fun. But in this case, I
think they may not be the best choice if you can avoid them.

-Michael


--
Michael C. Libby
www.mikelibby.com
361c07b798b8a59e133f69d6776539f9?d=identicon&s=25 naevity (Guest)
on 2009-01-16 19:33
(Received via mailing list)
On Jan 16, 1:18 pm, "Michael Libby" <michael.c.li...@gmail.com> wrote:
> plugin rather than the underlying value referred to by the constant
> Gbarcode::BARCODE_128.


Thank's for the response Michael and Robby, here's my response before
I saw what Michael wrote:


> This smells funny... so I wanted to ask for more information. How is
> the ruby code going to be added into the database? Would users be
> inputting ruby code somehow?

Well, it's a workaround to another problem I'm running into. I'm
trying to use the barcode-generator plugin (http://code.google.com/p/
barcode-generator/), which is based on the gbarcode gem.

In my database I have two tables, one for the numbers, and one for the
types of codes

to use the plugin, you call <%= barcode 'UPCCODE' %> in the view, and
it generates the code to create and display the PNG. My problem is
that I'm trying to add the :encoding_function option to the code,
which would look something like this:

<%= barcode 'UPCCODE', :encoding_function => Gbarcode::BARCODE_ISBN %>

I need to be able to dynamically input the encoding function like
this:

<%= barcode code.number, :encoding_function => code.type.upctype %>

but this pops up errors.

I've tried every combination of trying to pass that value, and it
always fails. So, as a last resort, I wrote code to just write the
whole line to the database for each UPCnumber, i.e.:

<%= barcode 'TEST1234', :encoding_function => Gbarcode::BARCODE_39 %>
<%= barcode '234567890987', :encoding_function =>
Gbarcode::BARCODE_ISBN %>
<%= barcode 'U567890298322E', :encoding_function =>
Gbarcode::BARCODE_128 %>

But, as I said above, when I try to pull this code, and run it to
generate and display the barcode, it fails.


For Example:

code:  <%= barcode card.cardnumber, :encoding_format =>
card.rewards.upctype %>
code.type.upctype: Gbarcode::BARCODE_ISBN
result: in method 'Barcode_Encode', argument 2 of type 'int'

code: <%= barcode card.cardnumber, card.rewards.upctype %>
code.type.upctype: :encoding_format => Gbarcode::BARCODE_ISBN
result: index 94105 out of string
Ed437e52d8d6720308720e7e678f3e6d?d=identicon&s=25 Patrick Doyle (Guest)
on 2009-01-16 19:36
(Received via mailing list)
>
> -Michael
>
I've wondered about doing something like this myself, but in a different
context...

Suppose I develop a generic RoR application that I would like to be able
extend or customize on the fly.  As an example, suppose I wanted records
in
my database with a certain value for the "from" field to always be
stored in
upper case, but I didn't (and can't) know at the time I develop the
application to which values that rule (or some other totally arbitrary
rule)
would apply.

I have thought about creating a table for Ruby code, and evaluating that
code a key points in the execution of my application.  I would restrict
access to that table to admin users only, so as to reduce the risk of
allowing malicious code into my database.

So far, I haven't gotten anywhere other than wondering whether I really
want
to go down this path or not, and wondering how I might do so if I did
want
to start down that slippery slope.

I'm curious -- have others had similar wonderments and address them
similarly or differently?

--wpd
26a81e5badb9e002ab9ed3542036e584?d=identicon&s=25 Michael Libby (Guest)
on 2009-01-16 19:53
(Received via mailing list)
On Fri, Jan 16, 2009 at 12:32 PM, naevity <jonathan.mulcahy@gmail.com>
wrote:

> <%= barcode 'UPCCODE', :encoding_function => Gbarcode::BARCODE_ISBN %>

Hard-coding it like this works for you, right?

> I need to be able to dynamically input the encoding function like
> this:
>
> <%= barcode code.number, :encoding_function => code.type.upctype %>

What are some sample values of code.type.upctype from your database?

-Michael

--
Michael C. Libby
www.mikelibby.com
065cc6140c6a1320fa2aa87eaa98a2ed?d=identicon&s=25 Aaron Brown (Guest)
on 2009-01-16 20:05
(Received via mailing list)
naevity wrote:
>
I'll second (or third, or whatever) the opinions that retrieving raw
code from a database table and executing it blindly is risky enough that
it should make you lose sleep at night.

In this case, if you decide that loading in the code from a remote
source is the easiest way to solve your problem, why not just put the
code snippets somewhere safer like a yaml file instead? It's a read-only
format, no danger for hackers to inject their own code, and it would be
just as easy (if not easier) to set up for a managably finite number of
code snippets. Not to mention the fact that the code snippets could be
loaded once and cached, saving you all that extra database activity.

Just a thought.

 - Aaron
361c07b798b8a59e133f69d6776539f9?d=identicon&s=25 naevity (Guest)
on 2009-01-16 20:21
(Received via mailing list)
On Jan 16, 1:52 pm, "Michael Libby" <michael.c.li...@gmail.com> wrote:
> What are some sample values of code.type.upctype from your database?
>
> -Michael




yes, hardcoding it works. Let's say I want to use an ISBN barcode of
"068816112X"

This works:

<%= barcode '068816112X', :encoding_function => Gbarcode::BARCODE_ISBN
%>

Now, let's say in my types table, I have this:

id:  1
type: book
upctype: GBarcode::BARCODE_ISBN

id: 2
type: dvd
upctype: GBarcode::BARCODE_128


and in my 'items' table (instead of code, works better for the
example) I have this:

id: 1
type_id: 1
name: replay
upcnumber: 068816112X

id: 2
type_id: 2
name: batman
upcnumber: 123456789

I can do this without a problem:

<%= barcode item.upcnumber, :encoding_format => Gbarcode::BARCODE_ISBN
%>

But that would obviously make the next entry of Batman show up wrong,
since it needs to be a BARCODE type of 128.

This is where stuff start's going wrong. I thought I should be able to
enter the below without a problem

<%= barcode item.upcnumber, :encoding_format => item.type.upctype %>

but that's when I get the "in method 'Barcode_Encode', argument 2 of
type 'int' " error.


If you want to take a look at the plugin's code where the
Barcode_Encode method lies, it's here:

http://code.google.com/p/barcode-generator/source/...

I really appreciate the help, I've wasted an entire day trying to wrap
my head around it. It seems like it should work to me, but I obviously
don't know enough as to why it's not working.
26a81e5badb9e002ab9ed3542036e584?d=identicon&s=25 Michael Libby (Guest)
on 2009-01-16 20:45
(Received via mailing list)
On Fri, Jan 16, 2009 at 1:21 PM, naevity <jonathan.mulcahy@gmail.com>
wrote:

> yes, hardcoding it works. Let's say I want to use an ISBN barcode of
> "068816112X"
>
> This works:
>
> <%= barcode '068816112X', :encoding_function => Gbarcode::BARCODE_ISBN
> %>

Good. Just checking that the easy case works. :)

> Now, let's say in my types table, I have this:
>
> id:  1
> type: book
> upctype: GBarcode::BARCODE_ISBN

I think the problem is your model then.

GBarcode::BARCODE_ISBN is not a string. It's a constant that stands
for the Fixnum 3.

irb(main):001:0> require 'rubygems'
=> true
irb(main):002:0> require 'gbarcode'
=> true
irb(main):003:0> Gbarcode::BARCODE_ISBN
=> 3
irb(main):006:0> Gbarcode::BARCODE_ISBN.class
=> Fixnum

> <%= barcode item.upcnumber, :encoding_format => item.type.upctype %>
>
> but that's when I get the "in method 'Barcode_Encode', argument 2 of
> type 'int' " error.

It's a somewhat opaque error message, but it's telling you that the
second argument is the wrong type... and that it wants an int.

Your view could just as easily contain:

<%= barcode "some_string", :encoding_format => 3 %>

and it should work the same as

<%= barcode "some_string", :encoding_format => Gbarcode::BARCODE_ISBN %>

The value you need to store in your database is the integer/Fixnum.

-Michael

--
Michael C. Libby
www.mikelibby.com
Ef3aa7f7e577ea8cd620462724ddf73b?d=identicon&s=25 Rob Biedenharn (Guest)
on 2009-01-16 21:29
(Received via mailing list)
On Jan 16, 2009, at 2:44 PM, Michael Libby wrote:
>
> GBarcode::BARCODE_ISBN is not a string. It's a constant that stands
>
> <%= barcode "some_string", :encoding_format => 3 %>
> --
> Michael C. Libby
> www.mikelibby.com


You can probably leverage ActiveSupport#constantize

class Item
   def enc_type
     self.type.upctype.constantize
   rescue NameError
     Gbarcode::DEFAULT
   end
end

assuming that you *want* to store Gbarcode::BARCODE_ISBN in the
database rather than its value as a Fixnum.

HOWEVER, I'll warn you that the name 'type' is reserved by
ActiveRecord for single-table inheritance and you might be better-off
using a word like 'kind' or 'format' ;-)

-Rob

Rob Biedenharn    http://agileconsultingllc.com
Rob@AgileConsultingLLC.com
68152a245602f451c583c71e97426560?d=identicon&s=25 Gustavo Akio Tominaga Sacomoto (Guest)
on 2009-01-16 21:51
(Received via mailing list)
On Fri, Jan 16, 2009 at 5:21 PM, naevity <jonathan.mulcahy@gmail.com>
wrote:
>> > this:
> yes, hardcoding it works. Let's say I want to use an ISBN barcode of
> type: book
> id: 1
>
>
> my head around it. It seems like it should work to me, but I obviously
> don't know enough as to why it's not working.

It won't work the way you are doing, because "Gbarcode::BARCODE_ISBN"
is ruby code (It's a constant from Gbarcode class) and needs to be
evaluated and when you do "item.type.upctype" the result is the STRING
"Gbarcode::BARCODE_ISBN" which is not interpreted, therefore not
evaluated as the constant.

This code:

 <%= barcode item.upcnumber, :encoding_format => eval item.type.upctype
%>

works, but it's dangerous and you should avoid it.

> >
>



--
cheers,

Gustavo Sacomoto

Vice-gerente Geral
Qype Brasil

+55 (11) 76747726

www.qype.com.br
361c07b798b8a59e133f69d6776539f9?d=identicon&s=25 naevity (Guest)
on 2009-01-16 23:03
(Received via mailing list)
> -Michael
Hi Michael,

That worked! Thank you very much, I doubt I ever would have figured
that out in the near future. I'm gonna have to alter my structure to
include those values.

Everyone, thank you very much, I really appreciate it. I do not want
to use the eval option, and I'm glad I now understand why it wasn't
working. It was driving me crazy.

Thanks again,

Jonathan
8200f38103f249d2d6dcecc6c6f9dcd0?d=identicon&s=25 Miachael A. (miachael_a)
on 2014-06-19 04:52
I've had some experience with this word barcode add-in:

http://www.businessrefinery.com/word-barcode/main.html


Hope it could be helpful. I think I also get something interesting from
this thread.
6883e5ef03484d4fcef507d7b4f1d243?d=identicon&s=25 Matt Jones (Guest)
on 2014-06-19 13:34
(Received via mailing list)
On Wednesday, 18 June 2014 21:53:29 UTC-5, Ruby-Forum.com User wrote:
>
> I've had some experience with this word barcode add-in:
>
> http://www.businessrefinery.com/word-barcode/main.html
>
>
> Hope it could be helpful. I think I also get something interesting from
> this thread.
>
>
Stop reanimating 5-year-old dead threads with SEO-crap. Thanks.

--Matt Jones
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.