Using Ruby on Rails combined with capistrano and git, I've run into an annoying problem..
I have a controller "people" with the index action that looks something like this:
def index
@people = Person.find( :conditions => params[:search] )
end
There is a boolean "is_admin" column in the Person table. Assuming that some of the people are admin and some are not, a get call to http://localhost:3000/people?search[is_admin]=true should populate @people with some users... And this is true for my local pc when I run the app in development mode..
But.... When I deploy to my server account ( railsplayground ), a call to http://mydomain.com/people?search[is_admin]=true fails to find any matching items. However, if I change ...?search[is_admin]=开发者_开发技巧true to ...?search[is_admin]=1 the response returns the administrator users as expected...
Back on my local pc, the use of "1" instead of "true" fails.
The bottom line is that
Person.find( :all, :conditions => { :is_admin => 'true' } )
works my development environment, and
Person.find( :all, :conditions => { :is_admin => 1 } )
works in my deployed environment.
Why is this? and how can I fix it?
Ideally I would like to place links like:
link_to( "Administrators", {
:controller => '/people',
:action => :index,
:search => { :is_admin => true }
})
and get a lists of administrators :).
Might be worthy to note that my development database is a sqlite3 file, and production is a mysql database...
EDIT: I understand the objections to user-input, but in this exceptional case it is a very very minor threat. Also, my current code works perfectly in either my development pc, or my production account, but not on both. The easiest sollution seems to change the way sqlite3 saves and interperets boolean values, so I would change my question to "how do I change the way sqlite saves boolean values"... If sqlite would mimic mysql's behavior perfectly, it would serve my developments needs perfectly...
The problem is that you are passing a boolean value as string and the final behavior depends on the active database. Here's a more detailed explanation.
When you read the params[:search]
variable, the content is a string and there's no type. This is because the query string can't understand whether
params[:search][:is_admin] = "true"
actually means
params[:search][:is_admin] = "true"
params[:search][:is_admin] = true
Likewise, when you pass 1 you end up with
params[:search][:is_admin] = "1"
which is different than
params[:search][:is_admin] = 1
When you pass the value to the query, because you are not passing a boolean, the value is not translated by the database adapter. Your final query result in something like
SELECT * FROM `persons` WHERE `persons.is_admin` = 'true'
SQLite3 stores boolean as t/f strings. true
is stored as 't'
and false
is stored as 'f'
. I guess it also understands true/false and it automatically translates your query.
On the opposite, MySQL understands only 0/1 and true/false and it fails.
When you switch the behavior, passing 1
instead of true
, you are causing SQLite to fail because it can't translate the string "1"
to 't'
. On the opposite, MySQL can and it does.
In both case, you are doing it wrong. You shouldn't pass a string but a boolean value. Also, you should never trust user input.
My suggestion is to normalize your params[:search]
before feeding Person.find
.
I think the difference between using sqlite and mysql is the cause of your issue.
But allowing active record conditioned to be passed in directly from the query string seems like a bad idea to me, and could leave your app open to sql injection attacks.
@Simone answer explains why you get such a behavior. To get correct result in both sqlite3 and mysql you should pass:
Person.find( :all, :conditions => { :is_admin => true } )
If you will have only one level of parameters (you have params[:search][:something]
but nothing deeper) than you can create correct hash with conditions like this:
my_conditions = Hash.new
params[:search].each do |item, value|
my_conditions[item.to_sym] = value == 'true' ? true : value == 'false' ? false : value
end
It will iterate over all search params and will change all 'true'
to true
and 'false'
to false
. If there will be other value it will leave it as it is. Of course you can put here any logic you want. If it will get more complicated than you can rewrite it with if
or with switch
.
Than you can:
Person.all(:conditions => my_conditions)
精彩评论