On Tuesday 12 May 2009, Jim Burgess wrote:
> Hi,
>
> Thanks very much for the replies.
> I will follow Michael's advice and stick it in a module.
>
> > I hope you know what you're doing.
>
> Probably nowhere near as much as I should
>
> > What if one of the strings is
> > %x{echo gotcha}
> > or worse?
>
> It's a date input which is mapped.
> In the model the field is :dob and is a string.
> In the form this is split into :dob_day, :dob_month, :dob_year
>
> Using the method I wrote (currently) in my model I can them write:
> map_three_fields :dob_day, :dob_month, :dob_year
>
> and they are returned as a string containing a date in the form of
> "dd-mm-yyyy" (including hyphens).
Why? IMHO, the best you can do is have a look at how date_select works,
you'll notice that it already does what you're trying to do. For the
long story see the code in date_helper.rb and date_helper_test.rb
somewhere in ActionView and
Activerecord::Base#assign_multiparameter_attributes. For the short
story, name your fields
dob(1i), dob(2i), and dob(3i) and have ActiveRecord put together these
parts.
> In the form the maximum length of dob_day and dob_year are 2
> characters. The maximum length of dob_year is 4 characters.
>
> Therefore (I hope) it is not possible to enter "%x{echo gotcha}".
Careful! It may not be possible to enter anything exceeding the max
length in the average browser, but that doesn't stop anyone to submit
requests to your app with other tools.
>
> Now the question to make you slap your hand on your head and look at
> the ceiling:
> What would this do, anyway?
%x{echo gotcha} is another way of writing `echo gotcha`. Each of these
executes the given command(s) with the right of the current user. It's
like that you wouldn't enter cd $HOME; rm -rf by yourself, so you'd
better not give someone else an opportunity to enter %x{cd $HOME, rm -
rf} for you.
> Do you have any comments, ideas, criticism about doing things this
> way?
>
> I found relatively little on the inputing of dates in forms using
> Rails online (date select is genuinely rubbish) and the form should
> also run without javascript. Therefore I put this method together
> myself and would be very grateful if anyone could point out if there
> are any massive security exploits that I have overlooked.
Passing arbitrary, user-provided strings to eval or class_eval *is* a
huge security hole.
Michael
--
Michael Schuerig
mailto:[email protected]
http://www.schuerig.de/michael/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
