On Monday, February 24, 2014 2:25:12 PM UTC-8, Marcel van Pinxteren wrote:
>
> Does this look a bit like it:
> module Sequel
> module Plugins
> module Odata
> module ClassMethods
> def odata_query(params)
> self.dataset.odata_query(params)
> end
> end
>
> module DatasetMethods
> def odata_query(params)
> result = self
> top = params[:$top]
> skip = params[:$skip]
> orderby = params[:$orderby]
> if orderby
> if orderby.include?('desc')
> result = result.order(Sequel.desc(orderby.split[0]))
> else
> result = result.order(orderby.split[0])
> end
> end
> if skip
> result = result.offset(skip)
> end
> if top
> result = result.limit(top)
> end
> result
> end
> end
> end
> end
> end
>
I don't see any validation of input. You should be treating the input the
same way as you would treat any code that is potentially hostile (i.e. all
user input in a web application). The order part doesn't look like it will
work correctly since you are passing in a string and not an identifier. If
you have a column named description, ordering it ascending appears to be a
problem. The limit/offset part may work, but it's better to cast the values
to integers instead of leaving them as strings. It doesn't look like it
implements the filtering part.
Thanks,
Jeremy
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sequel-talk.
For more options, visit https://groups.google.com/groups/opt_out.
