Forum: Ruby on Rails Is there any better way to do this?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ead43bcb0202410540a6a7cee5955d46?d=identicon&s=25 Fresh Mix (giga)
on 2009-01-25 15:07
#order can be "date" or "score" or "user"

@order = "date" #default
@order = session[:order] if session[:order]
@order = params[:order] if params[:order]

orderby = "updated_on DESC" #default
orderby = "score DESC" if @order == "score"
orderby = "user" if @order == "user"

session[:order] = @order

@results = Stats.find(:all, :order => orderby, :conditions..........
8853f712852b03ba6646b59b1723f44d?d=identicon&s=25 Flower Born (flowerborn)
on 2009-01-25 17:13
(Received via mailing list)
* James Bond <rails-mailing-list@andreas-s.net> [2009-01-25 15:07:51
+0100]:

>
> session[:order] = @order
>
> @results = Stats.find(:all, :order => orderby, :conditions..........

@order = params[:order] || session[:order] || 'date'
orderby = case @order
          when 'user' then 'user'
          when 'score' then 'score DESC'
          else 'updated_on DESC'
          end

my $0.02
Jan
Aafa8848c4b764f080b1b31a51eab73d?d=identicon&s=25 Phlip (Guest)
on 2009-01-25 17:20
(Received via mailing list)
James Bond wrote:

> #order can be "date" or "score" or "user"

Don't use @ unless you are really passing a variable to other methods in
this class.

> @order = "date" #default
> @order = session[:order] if session[:order]
> @order = params[:order] if params[:order]

order = session[:order] || params[:order] || 'date'

Note I use single 'ticks' because I don't need the special abilities of
"". That
represents a very important style rule - use the simplest code you can.
Think of
"" as "costing more" than ''.

> orderby = "updated_on DESC" #default
> orderby = "score DESC" if @order == "score"
> orderby = "user" if @order == "user"

orderby = order == 'date' ? 'updated_on' : order
Aafa8848c4b764f080b1b31a51eab73d?d=identicon&s=25 Phlip (Guest)
on 2009-01-25 17:33
(Received via mailing list)
Xie Hanjian wrote:

> orderby = case @order
>           when 'user' then 'user'
>           when 'score' then 'score DESC'
>           else 'updated_on DESC'
>           end

That's better than mine by preserving the DESC.

But why the params and session themselves don't contain the real code -
'updated_on DESC'. The View could, for example, show 'date' to the user
and set
its value to 'updated_on DESC'. Then all this fun goes away!
8853f712852b03ba6646b59b1723f44d?d=identicon&s=25 Flower Born (flowerborn)
on 2009-01-25 17:40
(Received via mailing list)
* Phlip <phlip2005@gmail.com> [2009-01-25 08:32:22 -0800]:

>
> But why the params and session themselves don't contain the real code -
> 'updated_on DESC'. The View could, for example, show 'date' to the user and set
> its value to 'updated_on DESC'. Then all this fun goes away!

Agree. The only reason may be security - user would know your table
column name 'updated_on' if you use it directly in view.

Jan
Aafa8848c4b764f080b1b31a51eab73d?d=identicon&s=25 Phlip (Guest)
on 2009-01-25 17:59
(Received via mailing list)
Xie Hanjian wrote:

>> But why the params and session themselves don't contain the real code -
>> 'updated_on DESC'. The View could, for example, show 'date' to the user and set
>> its value to 'updated_on DESC'. Then all this fun goes away!
>
> Agree. The only reason may be security - user would know your table
> column name 'updated_on' if you use it directly in view.

They also might hack the params and put in a SQL injection attack.
This topic is locked and can not be replied to.