On Tuesday 12 May 2009, Jim Burgess wrote: > Hi Michael, > Thanks for the reply. > > >> "dd-mm-yyyy" (including hyphens). > > > > Why? IMHO, the best you can do is have a look at how date_select > > works, you'll notice that it already does what you're trying to do. > > But isn't date_select really feeble? > For example it is very easy to make the whole application crash by > giving date_select false input (eg. enetering 31st February with no > year. http://www.ruby-forum.com/topic/183310)
The app does not crash, it just reacts with an exception to malformed input data. I think Fred Cheung's suggestion in that thread is completely right: Catch that exception and handle it. From the ActiveRecord::MultiparameterAssignmentErrors exception you can even find out which attributes were involved an generate a nice error message. > > Passing arbitrary, user-provided strings to eval or class_eval *is* > > a huge security hole. > > You're right. > I did have everything working without using eval. > The method with eval was just intended to make everything that bit > neater. > Would it then be sufficient to check the user generated input for > numericality (ie. enduse that the user has only entered numbers as > they are supposed to) and only carry out eval in this case, or would > that make no difference? You can, of course, do your own sanitizing of input data. But in this particular case I don't see the point. You still need to avoid anomalies like February, 31st. I don't see any advantage in doing this stuff yourself instead of giving ActiveRecord a chance and mop up in case it indicates a problem. Don't get to enamored with your current approach. Michael -- Michael Schuerig mailto:[email protected] http://www.schuerig.de/michael/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
