Search Results

Search found 21 results on 1 pages for 'williamjones'.

Page 1/1 | 1 

  • Ruby on Rails: How to sanitize a string for SQL when not using find?

    - by williamjones
    I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible, however, if that is the only way I would also appreciate if anyone can point me in the right direction to a regex that is unlikely to be missing anything. There are a number of methods in Rails that can allow you to enter in native SQL commands, how do people escape user input for those? The question I'm asking is a broad one, but in my particular case, I'm working with a column in my Postgres database that Rails does not natively understand as far as I know, the tsvector, which holds plain text search information. Rails is able to write and read from it as if it's a string, however, unlike a string, it doesn't seem to be automatically escaping it when I do things like vector= inside the model. For example, when I do model.name='::', where name is a string, it works fine. When I do model.vector='::' it errors out: ActiveRecord::StatementInvalid: PGError: ERROR: syntax error in tsvector: "::" "vectors" = E'::' WHERE "id" = 1 This seems to be a problem caused by lack of escaping of the semicolons, and I can manually set the vector='\:\:' fine. I also had the bright idea, maybe I can just call something like: ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::" However, this syntax doesn't work, because the raw SQL commands don't have access to find's method of escaping and inputting strings by using the ? mark. This strikes me as the same problem as calling connection.execute with any type of user input, as it all boils down to sanitizing the strings, but I can't seem to find any way to manually call Rails' SQL string sanitization methods. Can anyone provide any advice?

    Read the article

  • Ruby on Rails: How to sanitize a string for SQL when not using find and other built-in methods?

    - by williamjones
    I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible. There are a number of methods in Rails that can allow you to enter in native SQL commands, how do people escape user input for those? The question I'm asking is a broad one, but in my particular case, I'm working with a column in my Postgres database that Rails does not natively understand as far as I know, the tsvector, which holds plain text search information. Rails is able to write and read from it as if it's a string, however, unlike a string, it doesn't seem to be automatically escaping it when I do things like vector= inside the model. For example, when I do model.name='::', where name is a string, it works fine. When I do model.vector='::' it errors out: ActiveRecord::StatementInvalid: PGError: ERROR: syntax error in tsvector: "::" "vectors" = E'::' WHERE "id" = 1 This seems to be a problem caused by lack of escaping of the semicolons, and I can manually set the vector='\:\:' fine. I also had the bright idea, maybe I can just call something like: ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::" However, this syntax doesn't work, because the raw SQL commands don't have access to find's method of escaping and inputting strings by using the ? mark. This strikes me as the same problem as calling connection.execute with any type of user input, as it all boils down to sanitizing the strings, but I can't seem to find any way to manually call Rails' SQL string sanitization methods. Can anyone provide any advice?

    Read the article

  • When optimizing database queries, what exactly is the relationship between number of queries and siz

    - by williamjones
    To optimize application speed, everyone always advises to minimize the number of queries an application makes to the database, consolidating them into fewer queries that retrieve more wherever possible. However, this also always comes with the caution that data transferred is still data transferred, and just because you are making fewer queries doesn't make the data transferred free. I'm in a situation where I can over-include on the query in order to cut down the number of queries, and simply remove the unwanted data in the application code. Is there any type of a rule of thumb on how much of a cost there is to each query, to know when to optimize number of queries versus size of queries? I've tried to Google for objective performance analysis data, but surprisingly haven't been able to find anything like that. Clearly this relationship will change for factors such as when the database grows in size, making this somewhat individualized, but surely this is not so individualized that a broad sense of the landscape can't be drawn out? I'm looking for general answers, but for what it's worth, I'm running an application on Heroku.com, which means Ruby on Rails with a Postgres database.

    Read the article

  • Ruby on Rails: What are partial hash arguments and full set arguments?

    - by williamjones
    I'm using asserts_redirected_to in my unit tests, and I'm receiving this warning: DEPRECATION WARNING: Using assert_redirected_to with partial hash arguments is deprecated. Specify the full set arguments instead. What is a partial hash argument, and what is a full set argument? These aren't terms that I've seen used in the Rails community before, and the only relevant results I can find on Google for these are in reference to this deprecation warning. Here is my code: assert_redirected_to :controller => :user, :action => :search also tried: assert_redirected_to({:controller => :user, :action => :search}) I might have guessed that it feels I'm missing some parameters or something like that, but the API documentation explicitly says that not all parameters need to be included: http://rails.rubyonrails.org/classes/ActionController/Assertions/ResponseAssertions.html

    Read the article

  • Ruby on Rails testing: How can I test or at the very least see a form_for's error_messages_for?

    - by williamjones
    I'm working on creating a tests, and I can't figure out why the creation of a model from a form_for is failing in the test but works in real browsers. Is there a straightforward way for me to see what the problems are in the model creation? Even better would be, is there a straightforward way for me to test the error outputs that I access via error_messages_for? In that case, I'd like to also add in tests that make sure that malformed forms are outputting the correct errors.

    Read the article

  • SQL to join to the best matching row

    - by williamjones
    I have a wiki system where there is a central table, Article, that has many Revisions in their own table. The Revisions each contain a created_at time and date column. I want to update the Articles to contain a denormalized field sort_name from the most recent Revision's name field. What SQL command can I issue to fill in each Article's sort_name field with its most recent Revision's name field? For what it's worth, I'm on PostgreSQL.

    Read the article

  • Ruby on Rails: Accessing production database data for testing

    - by williamjones
    With Ruby on Rails, is there a way for me to dump my production database into a form that the test part of Rails can access? I'm thinking either a way to turn the production database into fixtures, or else a way to migrate data from the production database into the test database that will not get routinely cleared out by Rails. I'd like to use this data for a variety of tests, but foremost in my mind is using real data with the performance tests, so that I can get a realistic understanding of load times.

    Read the article

  • Postgres: Convert varchar to text

    - by williamjones
    I screwed up and created a column as a varchar(255) where that is no longer sufficient. I've read that varchar has no performance benefits over text on Postgres, and so would like to convert the varchar to a text column in a safe way that preserves the data. What's the best way for me to do this?

    Read the article

  • Ruby on Rails: attr_accessor for submodels

    - by williamjones
    I'm working with some models where a lot of a given model's key attributes are actually stored in a submodel. Example: class WikiArticle has_many :revisions has_one :current_revision, :class_name => "Revision", :order => "created_at DESC" end class Revision has_one :wiki_article end The Revision class has a ton of database fields, and the WikiArticle has very few. However, I often have to access a Revision's fields from the context of a WikiArticle. The most important case of this is probably on creating an article. I've been doing that with lots of methods that look like this, one for each field: def description if @description @description elsif current_revision current_revision.description else "" end end def description=(string) @description = string end And then on my save, I save @description into a new revision. This whole thing reminds me a lot of attr_accessor, only it doesn't seem like I can get attr_accessor to do what I need. How can I define an attr_submodel_accessor such that I could just give field names and have it automatically create all those methods the way attr_accessor does?

    Read the article

  • SQL statement to split a table based on a join

    - by williamjones
    I have a primary table for Articles that is linked by a join table Info to a table Tags that has only a small number of entries. I want to split the Articles table, by either deleting rows or creating a new table with only the entries I want, based on the absence of a link to a certain tag. There are a few million articles. How can I do this? Not all of the articles have any tag at all, and some have many tags. Example: table Articles primary_key id table Info foreign_key article_id foreign_key tag_id table Tags primary_key id It was easy for me to segregate the articles that do have the match right off the bat, so I thought maybe I could do that and then use a NOT IN statement but that is so slow running it's unclear if it's ever going to finish. I did that with these commands: INSERT INTO matched_articles SELECT * FROM articles a LEFT JOIN info i ON a.id = i.article_id WHERE i.tag_id = 5; INSERT INTO unmatched_articles SELECT * FROM articles a WHERE a.id NOT IN (SELECT m.id FROM matched_articles m); If it makes a difference, I'm on Postgres.

    Read the article

  • Counting string length in javascript and Ruby on Rails

    - by williamjones
    I've got a text area on a web site that should be limited in length. I'm allowing users to enter 255 characters, and am enforcing that limit with a Rails validation: validates_length_of :body, :maximum => 255 At the same time, I added a javascript char counter like you see on Twitter, to give feedback to the user on how many characters he has already used, and to disable the submit button when over length, and am getting that length in Javascript with a call like this: element.length Lastly, to enforce data integrity, in my Postgres database, I have created this field as a varchar(255) as a last line of defense. Unfortunately, these methods of counting characters do not appear to be directly compatible. Javascript counts the best, in that it counts what users consider as number of characters where everything is a single character. Once the submission hits Rails, however, all of the carriage returns have been converted to \r\n, now taking up 2 characters worth of space, which makes a close call fail Rails validations. Even if I were to handcode a different length validation in Rails, it would still fail when it hits the database I think, though I haven't confirmed this yet. What's the best way for me to make all this work the way the user would want? Best Solution: an approach that would enable me to meet user expectations, where each character of any type is only one character. If this means increasing the length of the varchar database field, a user should not be able to sneakily send a hand-crafted post that creates a row with more than 255 letters. Somewhat Acceptable Solution: a javascript change that enables the user to see the real character count, such that hitting return increments the counter 2 characters at a time, while properly handling all symbols that might have these strange behaviors.

    Read the article

  • Moving information between databases

    - by williamjones
    I'm on Postgres, and have two databases on the same machine, and I'd like to move some data from database Source to database Dest. Database Source: Table User has a primary key Table Comments has a primary key Table UserComments is a join table with two foreign keys for User and Comments Dest looks just like Source in structure, but already has information in User and Comments tables that needs to be retained. I'm thinking I'll probably have to do this in a few steps. Step 1, I would dump Source using the Postgres Copy command. Step 2, In Dest I would add a temporary second_key column to both User and Comments, and a new SecondUserComments join table. Step 3, I would import the dumped file into Dest using Copy again, with the keys input into the second_key columns. Step 4, I would add rows to UserComments in Dest based on the contents of SecondUserComments, only using the real primary keys this time. Could this be done with a SQL command or would I need a script? Step 5, delete the SecondUserComments table and remove the second_key columns. Does this sound like the best way to do this, or is there a better way I'm overlooking?

    Read the article

  • Hide html horizontal but not vertical scrollbar

    - by williamjones
    I have an html textarea that is of fixed width, but variable height. I would like to set overflow:scroll and be able to show a vertical scrollbar, but not a horizontal one. I am not able to use overflow:auto due to other things specific to my situation. I know there is no way using CSS 2 to show only vertical but not horizontal scrollbars. Is there anything I can do with javascript to hide the horizontal scrollbar?

    Read the article

  • Ruby on Rails: What are Erubis' disadvantages and why isn't it packaged with Rails by default? How t

    - by williamjones
    I just discovered Erubis, a replacement for the default view renderer for Ruby on Rails. However, from what I can tell from reading about it, it's superior across the board. It is much faster. It has many more options. It can prevent cross site scripting without having to use h. Does this have any disadvantages versus the standard erb renderer? Why isn't this the standard renderer packaged with Rails? Also, the docs for Erubis say to install it just by installing the gem, and then add the following to environment.rb: require 'erubis/helpers/rails_helper' #Erubis::Helpers::RailsHelper.engine_class = Erubis::Eruby # or Erubis::FastEruby Reading the docs, FastEruby seems to be just a faster renderer than Eruby. Why wouldn't it be default and used by everyone? I'm highly interested in using the engine erubis::EscapedEruby which automatically calls h to escape html on fields from the database. Are there any gotchas I should be aware of or does this pretty much solve all cross site scripting?

    Read the article

  • Ruby on Rails: How best to escape a string in a model?

    - by williamjones
    I want my application to sanitize html on input rather than on display, so that the fields saved into the database are sanitized. I've been doing this with strip_tags, and it was working great. However, this has the downside that it means the user can't input anything that's bracketed with < and . How can I tell Rails in the model to securely escape tags before saving them to the database? I'd like to not have to call h on the sanitized fields again before using them in the views.

    Read the article

  • Smartest way to import massive datasets into a Rails application?

    - by williamjones
    I've got multiple massive (multi gigabyte) datasets I need to import into a Rails app. The datasets are currently each in their own database on my development machine, and I need to read from them and create rows in tables in my Rails database based on the information they contain. The tables in my Rails database will not be exactly the same as the tables in the source databases. What's the smartest way to go about this? I was thinking migrations, but I'm not exactly sure how to connect the migration to the databases, and even if that is possible, is that going to be ridiculously slow?

    Read the article

  • Ruby-on-Rails: Multiple has_many :through possible?

    - by williamjones
    Is it possible to have multiple has_many :through relationships that pass through each other in Rails? I received the suggestion to do so as a solution for another question I posted, but have been unable to get it to work. Friends are a cyclic association through a join table. The goal is to create a has_many :through for friends_comments, so I can take a User and do something like user.friends_comments to get all comments made by his friends in a single query. class User has_many :friendships has_many :friends, :through => :friendships, :conditions => "status = #{Friendship::FULL}" has_many :comments has_many :friends_comments, :through => :friends, :source => :comments end class Friendship < ActiveRecord::Base belongs_to :user belongs_to :friend, :class_name => "User", :foreign_key => "friend_id" end This looks great, and makes sense, but isn't working for me. This is the error I'm getting in relevant part when I try to access a user's friends_comments: ERROR: column users.user_id does not exist : SELECT "comments".* FROM "comments" INNER JOIN "users" ON "comments".user_id = "users".id WHERE (("users".user_id = 1) AND ((status = 2))) When I just enter user.friends, which works, this is the query it executes: : SELECT "users".* FROM "users" INNER JOIN "friendships" ON "users".id = "friendships".friend_id WHERE (("friendships".user_id = 1) AND ((status = 2))) So it seems like it's entirely forgetting about the original has_many through friendship relationship, and then is inappropriately trying to use the User class as a join table. Am I doing something wrong, or is this simply not possible?

    Read the article

  • Align text with right edge of an html form

    - by williamjones
    I have an html form where the width of a textarea is specified with cols=. I want the textarea to have a specific width in terms of number of characters. However, I also want some controls to be right-justified to the right edge of the textarea. They're not in the textarea, but directly above or below it. Is it possible to do this? I was thinking a possible approach might be enclosing the textarea with some type of container that could grow to the width of the textarea, but I'm not sure how I could right-justify text within that.

    Read the article

  • How to alter Postgres table data based on its contents?

    - by williamjones
    This is probably a super simple question, but I'm struggling to come up with the right keywords to find it on Google. I have a Postgres table that has among its contents a column of type text named content_type. That stores what type of entry is stored in that row. There are only about 5 different types, and I decided I want to change one of them to display as something else in my application (I had been directly displaying these). It struck me that it's funny that my view is being dictated by my database model, and I decided I would convert the types being stored in my database as strings into integers, and enumerate the possible types in my application with constants that convert them into their display names. That way, if I ever got the urge to change any category names again, I could just change it with one alteration of a constant. I also have the hunch that storing integers might be somewhat more efficient than storing text in the database. First, a quick threshold question of, is this a good idea? Any feedback or anything I missed? Second, and my main question, what's the Postgres command I could enter to make an alteration like this? I'm thinking I could start by renaming the old content_type column to old_content_type and then creating a new integer column content_type. However, what command would look at a row's old_content_type and fill in the new content_type column based off of that?

    Read the article

1