dolzenko 0.0.23 → 0.0.24

data/lib/dolzenko/django_f_object.html

@@ -0,0 +1,153 @@
+<div>
+  <p>
+    Recently I was browsing 
+    <a href="http://docs.djangoproject.com/en/1.2/">
+      Django</a> 
+    documentation deliberately looking for
+    some ideas to cross-pollinate to Rails. F() and Q() objects looked like
+    nice little hacks so I decided to implement them for Rails.
+  </p>
+
+  <!--more-->
+
+  <h2>Q() Object</h2>
+
+  <p>
+    Even though it's not nearly as powerful as his Star Trek namesake 
+    it's still pretty interesting to look at (original docs available
+    <a href="http://docs.djangoproject.com/en/dev/topics/db/queries/#complex-lookups-with-q-objects">
+      here</a>).
+    It tackles the problem of complex SQL conditions building.
+    Usually most issues arise from the fact that simple hash based conditions
+    don't allow for negated or <code>OR</code>ed conditions. There are plenty of
+    other projects aimed to mitigate these restrictions among others (a while
+    ago I assembled the collection of these):
+    <a href="http://github.com/thoughtbot/squirrel">Squirrel</a>,
+    <a href="http://github.com/defunkt/ambition">Ambition</a>,
+    <a href="http://github.com/knowtheory/dm-sugar-glider">dm-sugar-glider</a>,
+    <a href="http://github.com/ezmobius/ez-where">ez_where</a>,
+    <a href="http://github.com/johnbender/rquery">RQuery</a>,
+    <a href="http://github.com/binarylogic/searchlogic">Searchlogic</a>,
+    <a href="http://github.com/jeremyevans/sequel">Sequel</a>,
+    probably most recent one is
+    <a href="http://github.com/ernie/meta_where">MetaWhere</a>.
+  </p>
+
+  <p style="clear: left;">
+    There are different tricks above libraries employ
+    <ol>
+      <li>
+        <code>instance_eval</code> and/or <code>method_missing</code> letting you
+        write
+        [ruby]
+        # Squirrel
+        Playlist.find(:all) do
+          any do
+            name == "Party Mix"
+            total_length > 3600
+          end
+        end
+        [/ruby]
+        or
+        [ruby]
+        # RQuery
+        User.where do |user|
+          (user.age > 20) | (user.age.in 16,18)
+        end
+        [/ruby]
+      </li>
+      <li>core objects extensions
+        (extending <code>Hash</code> and/or <code>Symbol</code> objects)
+        [ruby]
+        # Sequel
+        Artist.filter(:name.like('Y%') & ({:b=>1} | ~{:c=>3}))
+        # SELECT * FROM artists WHERE name LIKE 'Y%' AND (b = 1 OR c != 3)
+        [/ruby]
+      </li>
+      <li>
+        hooking the interpreter (accessing syntax tree of the condition
+        specifying block)
+        [ruby]
+        # Ambition
+        >> SQL::User.select { |m| m.name == 'jon' && m.age == 21 }.to_s
+        => "SELECT * FROM users WHERE users.name = 'jon' AND users.age = 21"
+        [/ruby]
+      </li>
+    </ol>
+  </p>
+
+  <p>
+    While there is nothing technically wrong with the approaches listed above,
+    it's interesting to see what can be done without resorting to any of these
+    tricks. The Q() object fits there very well. It let's you build ORed,
+    ANDed, and negated conditions without dropping to writing SQL (drawing
+    on simple and well known hash-based syntax). Below is the illustration
+    of Q() based syntax and the corresponding SQL fragments generated by it
+
+    [ruby]
+    ~Q(:user_id => nil) # => user_id IS NOT NULL
+
+    Q(:user_id => nil) | Q(:id => nil) # => user_id IS NULL OR id IS NULL
+
+    ~(Q(:user_id => nil) & Q(:id => nil)) # => user_id IS NOT NULL AND id IS NOT NULL
+    [/ruby]
+
+    Ruby 1.9 allows <code>!</code> operator overloading leading to more
+    natural syntax for negated conditions
+
+    [ruby]
+    !Q(:user_id => nil) # => user_id IS NOT NULL
+    [/ruby]
+  </p>
+
+  <h2>F() Object</h2>
+
+  <p>
+    <a href="http://docs.djangoproject.com/en/dev/topics/db/queries/#query-expressions">
+      Original docs</a>. It let's you reference your database columns and do
+    simple calculations on them from your conditions and update statements.
+    The concept is pretty simple and can be illustrated with a few
+    examples
+    [ruby]
+    # Simple column reference
+    User.where(:updated_at => F(:created_at))
+    # instead of writing it in SQL like: User.where("updated_at = created_at")
+
+    # Column reference with calculation
+    User.where(:updated_at => F(:created_at) + 1)
+    # instead of User.where("updated_at = created_at + 1")
+
+    # Calculation with references also work
+    User.where(:updated_at => F(:created_at) + F(:updated_at))
+    # instead of User.where("updated_at = created_at + updated_at")
+
+    # Use in update statement
+    User.update_all(:id_copy => F(:id))
+    # instead of User.update_all("id_copy = id")
+    [/ruby]
+
+    Nice side effect of using this is that you get atomic operations for free
+    [ruby]
+      user = User.find(1)
+      user.views = F(:views) + 1 #
+      user.save
+    [/ruby]
+    
+    Whenever the <code>save</code> is called it's the current `views`
+    that will be incremented (not the value that that was loaded with
+    <code>User.find</code>).
+  </p>
+
+  <h2>Installation</h2>
+
+  <p>
+    You can get the code from my eponymous gem like this
+    [ruby]
+    > gem install dolzenko
+    > irb
+    
+    [/ruby]
+  </p>
+  
+</div>
+

data/lib/dolzenko/django_f_object.rb

@@ -28,7 +28,7 @@
 #
 #
 
-require "require_gist"; require_gist "383954/ea5a41269aac073b596b21fe392098827186a32b/alias_method_chain_once.rb", "a6f068593bb45fe6c9956205f672ac4a0c2e1671" # http://gist.github.com/383954
+require "dolzenko/alias_method_chain_once.rb"
 
 class F
   attr_accessor :attr_name

data/lib/dolzenko/django_q_object.rb

@@ -21,7 +21,7 @@
 # User.where(!Q(:user_id => nil))
 #
 
-require "require_gist"; require_gist "383954/ea5a41269aac073b596b21fe392098827186a32b/alias_method_chain_once.rb", "a6f068593bb45fe6c9956205f672ac4a0c2e1671" # http://gist.github.com/383954
+require "dolzenko/alias_method_chain_once"
 
 class Q
   def |(other)

data/lib/dolzenko/safe_interpolate.html

@@ -0,0 +1,121 @@
+<div>
+  <h2>Age-Old Problem</h2>
+
+  <p>
+    Suppose you want to authenticate user from the login/password entered
+    on the web from
+    [ruby]
+    user = User.first(:conditions => "login = '#{ login }' AND password = '#{ password }'")
+    [/ruby]
+    Such authentication code as we know can be easily fooled with the
+    <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.
+
+    Thankfully in Rails there are parameterized queries and the above can be
+    rewritten in at least 3 injection safe ways
+    [ruby]
+    User.find_by_login_and_password(login, password)
+    # or
+    User.first(:conditions => ["login = ? AND password = ?", login, password])
+    # or
+    User.first(:conditions => ["login = :login AND password = :password", { :login => login, :password => password }])
+    [/ruby]
+  </p>
+
+  <h2>Many Solutions (Haskell Included)</h2>
+
+  <p>
+    Parameterized queries cover most of the cases but what if you have large
+    query with multiple parameters? 
+    You can quickly lose track of all the question marks and order
+    in which parameters appear. Most likely you will prefer the latter,
+    hash-based notation.
+  </p>
+
+  <!--more-->
+
+  <p>
+    Side note: This stuff is actually analyzed in depth by
+    <a href="http://onestepback.org/">
+      Jim Weirich</a>
+    in his
+    <a href="http://mwrc2009.confreaks.com/14-mar-2009-18-10-the-building-blocks-of-modularity-jim-weirich.html">
+      The Building Blocks of Modularity</a>
+    presentation where he talks about the connascence in software.
+  </p>
+
+  <p>
+    Back to our topic what we really want is just to write SQL queries
+    injecting properly quoted values where needed. In other words we would like
+    to be able to customize the way string interpolation works. In cool
+    languages like Haskell this concept is natively supported and called
+    <a href="http://www.haskell.org/haskellwiki/Quasiquotation">
+      Quasiquotation</a>. 
+    While not really on par with such rigorous achievements it can
+    be simulated everywhere where <code>eval</code> is available.
+    Here is for example
+    <a href="http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html">
+      the solution</a>
+    from the
+    <a href="http://en.wikipedia.org/wiki/Caja_(programming_language)">
+      Google Caja</a>
+    team.
+  </p>
+
+  <h2>Hack For Better Future</h2>
+
+  <p>
+    There is <code>eval</code> in Ruby and there is also one peculiar feature
+    about it. You can pass <code>binding</code> to it, and when the
+    block is created it's <code>binding</code> is captured and therefore can be
+    used from anywhere (providing access to the lexical scope captured by the
+    block). Let's illustrate that
+    [ruby]
+    ruby-head > def m
+                  local = 42
+                  proc {} # return empty block to get binding from it later
+                end
+    ruby-head > eval("local", m.binding) # binding gives access to the scope where block was created
+    => 42 
+    [/ruby]
+  </p>
+
+  <p>
+    Using that feature we can hide <code>eval</code> and implement our own
+    safe interpolation routines like I did in
+    <a href="http://github.com/dolzenko/dolzenko-gem/blob/master/lib/dolzenko/safe_interpolate.rb">
+      safe_interpolate.rb</a>.
+    Use it like
+    
+    [ruby]
+    ruby-head > require 'dolzenko/safe_interpolate'
+    ruby-head > include SafeInterpolate
+    ruby-head > login = "' or 1=1"
+    ruby-head > sql_interpolate { 'login = #{ login }' }
+     => "login = ''' or 1=1'" # single quote got turned into double and the whole expression is quoted itself
+    [/ruby]
+
+    HTML and URI escaping are also provided
+    [ruby]
+    ruby-head > content = "<script>alert(1)</script>"
+    ruby-head > html_interpolate { '<p>#{ content }</p>' }
+    => "<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>" # injection prevented!
+
+    ruby-head > query = "&admin=1"
+    ruby-head > uri_interpolate { 'http://example.com?q=#{ query }' }
+    => "http://example.com?q=%26admin%3D1"
+    [/ruby]
+  </p>
+
+  <h2>Further Reading</h2>
+
+  <p>
+    <a href="http://blog.moertel.com/articles/2006/10/18/a-type-based-solution-to-the-strings-problem">
+      A type-based solution to the "strings problem": a fitting end to XSS and SQL-injection holes?</a>
+    by Tom Moertel. This article got me interested in the subject. <br>
+    
+    <a href="http://intoverflow.wordpress.com/2010/06/30/haskell-features-id-like-to-see-in-other-languages/">
+      Haskell features I'd like to see in other languages</a>
+    by Tim Carstens. Check the &laquo;Quasi-quoting&raquo; section for collection of Haskell
+    quoting related links.
+  </p>
+</div>

data/lib/dolzenko/safe_interpolate.rb

@@ -2,8 +2,10 @@ require "active_support/all"
 require "active_record"
 require "cgi"
 
+# http://dolzhenko.org/blog/2010/07/safe-string-interpolation-in-ruby/
 module SafeInterpolate
   def generic_interpolate(string_block, interpolator)
+    raise ArgumentError, "block returning string to interpolate must be provided" unless string_block 
     string_with_interpolations = string_block.call
     string_with_interpolations.gsub(/\#\{([^}]*)\}/) do
       result = eval($1, string_block.binding)
@@ -11,6 +13,11 @@ module SafeInterpolate
     end
   end
 
+  # Examples
+  #
+  #     include SafeInterpolate
+  #     ...
+  #     sql_interpolate { 'name = #{ name }' } # => "name = 'Bob'"
   def sql_interpolate(&string_block)
     generic_interpolate(string_block, ActiveRecord::Base.connection.method(:quote))
   end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 0
-  - 23
-  version: 0.0.23
+  - 24
+  version: 0.0.24
 platform: ruby
 authors: 
 - Evgeniy Dolzhenko
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-07-02 00:00:00 +04:00
+date: 2010-07-03 00:00:00 +04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -63,6 +63,7 @@ files:
 - lib/dolzenko/core_ext/kernel/in.rb
 - lib/dolzenko/core_ext/kernel/r.rb
 - lib/dolzenko/core_ext/object/is_an.rb
+- lib/dolzenko/django_f_object.html
 - lib/dolzenko/django_f_object.rb
 - lib/dolzenko/django_q_object.rb
 - lib/dolzenko/error_print.rb
@@ -72,6 +73,7 @@ files:
 - lib/dolzenko/io_interceptor.rb
 - lib/dolzenko/light.rb
 - lib/dolzenko/remote_download.rb
+- lib/dolzenko/safe_interpolate.html
 - lib/dolzenko/safe_interpolate.rb
 - lib/dolzenko/shell_out.rb
 - lib/dolzenko/try_block.rb