I am making a custom rails route as:
match '/setFavoriteRestaurant/:user_id/:restaurant_id/:campaignSetFav_id/:metro_id/:time_period', to: 'requests#setFavoriteRestaurant', via: 'get'
with controller action:
def setFavoriteRestaurant
setFavorite = "INSERT INTO androidchatterdatabase.users_favorite_restaurants(usersId,restaurantId,campaignIdSetFav,metroId,timePeriod,favoritedDt)
VALUES(" + params[:user_id].to_s + ","
+ params[:restaurant_id].to_s + ","
+ params[:campaignSetFav_id].to_s + ","
+ params[:metro_id].to_s + ","
+ params[:time_period].to_s + ",
NOW());"
ActiveRecord::Base.connection.execute(setFavorite)
end
Yet when testing in the browser with: http://localhost:3000/setFavoriteRestaurant/1/2/3/5/4
it returns an odd error as: undefined method +#' for "2":String
Why is this the case when other methods, setup exactly the same are fine to run?
This has to do with how you broke up the lines. Ruby doesn't know that the VALUES(" + line and the + params[:restaurant_id] are part of the same thing. This is because the VALUES( + line is complete. Move the + to the end of the line so that Ruby will know to expect the next line to be a continuation.
setFavorite = "INSERT INTO androidchatterdatabase.users_favorite_restaurants(usersId,restaurantId,campaignIdSetFav,metroId,timePeriod,favoritedDt)" +
"VALUES(" + params[:user_id].to_s + "," +
params[:restaurant_id].to_s + "," +
params[:campaignSetFav_id].to_s + "," +
params[:metro_id].to_s + "," +
params[:time_period].to_s + ",NOW());"
Also, note that I moved some other things around to avoid new lines and extra spaces.
I'm not sure why you prefer raw SQL here, but you should consider going through Rails. Seems like you're opening yourself up to SQL injection. At the very least, you could have some constraints in the route to match only integers.
Ruby has a couple of ways to quote multi line strings:
1) Here it is with ruby's heredoc syntax:
def some_action
setFavorite = <<-"END_OF_INSERT"
INSERT INTO androidchatterdatabase.users_favorite_restaurants(
usersId,
restaurantId,
campaignIdSetFav,
metroId,
timePeriod,
favoritedDt
)
VALUES(
"#{params[:user_id]}",
"#{params[:restaurant_id]}",
"#{params[:campaignSetFav_id]}",
"#{params[:metro_id]}",
"#{params[:time_period]}",
NOW()
);
END_OF_INSERT
end
Explanation:
setFavorite = <<-"END_OF_INSERT"
- => Terminator does not have to be at the start of the line.
"" => This is a double quoted string--do interpolation.
2) Here it is with %Q{}:
setFavorite = %Q{
INSERT INTO androidchatterdatabase.users_favorite_restaurants(
usersId,
restaurantId,
campaignIdSetFav,
metroId,
timePeriod,
favoritedDt
)
VALUES(
"#{params[:user_id]}",
"#{params[:restaurant_id]}",
"#{params[:campaignSetFav_id]}",
"#{params[:metro_id]}",
"#{params[:time_period]}",
NOW()
);
}
However, your SQL statement is still vulnerable to sql injection attacks. Check your db adapter for how to do parameter substitutions.
Related
I'm new in Ruby on rails and I would like to fetch records based on a condition, and I'm passing the condition in a string format. Moreover, I will pass the query in multiple OR and AND conditions. However, right now, I'm stuck that how to pass the query in string format in rails
I have attached the screenshot
#data= CustomAttribute.includes(:custom_attribute_values).where(id: 18, company_id: current_user.company_id).first
The above line executed successfully and gave the output
<CustomAttribute id: 18, data_type: "string", label: "Marital status", code: "marital_status", entity_type: "member", company_id: 1, created_at: "2021-03-10 10:16:15", updated_at: "2021-03-10 10:16:27", is_active: true, is_default: false, rank: nil, is_identifier: false>
but when I executed the below line it gave me the error that
#data.custom_attribute_values.where("\""+"value_string"+"\""+"="+"\""+'Single'+"\"").size
ERROR: column "Single" does not exist
the Single is the value which I would like to count
Here is my code for the dynamic query creation
logical_operator = 'OR'
#custom_attribute = CustomAttribute.includes(:custom_attribute_values).where(id: custom_attribute_ids, company_id: current_user.company_id)
query=""
#custom_attribute.each_with_index do |attribute_object, index|
filter_object= filter_params[:filters].find {|x| x['custom_attribute_id']==attribute_object['id']}
if filter_object.present?
query += "("+ '"' +'value_'+attribute_object.data_type + '"' + ' ' + filter_object['operator'] + ' ' + "'" + filter_object['value'].to_s + "'"+ ")"
end
if index != #custom_attribute.length-1
query+=' '+logical_operator+' '
end
if index == #custom_attribute.length-1
query="'" + " ( " + query + " ) " + "'"
end
end
byebug
puts(#custom_attribute.first.custom_attribute_values.where(query).size)
Any time you're doing a lot of escaping and string addition in Ruby you're doing it wrong. If we clean up how you build your SQL:
"\""+"value_string"+"\""+"="+"\""+'Single'+"\""
things will be clearer. First, put space around your operators for readability:
"\"" + "value_string" + "\"" + "=" + "\"" + 'Single' + "\""
Next, don't use double quotes unless you need them for escape codes (such as \n) or interpolation:
'"' + 'value_string' + '"' + '=' + '"' + 'Single' + '"'
Now we see that we're adding several constant strings so there's no need to add them at all, a single string literal will do:
'"value_string" = "Single"'
Standard SQL uses double quotes for identifiers (such as table and column names) and single quotes for strings. So your query is asking for all rows where the value_string column equals the Single column and there's your error.
You want to use single quotes for the string (and %q(...) to quote the whole thing to avoid adding escapes back in):
#data.custom_attribute_values.where(
%q("value_string" = 'Single')
)
Or better, let ActiveRecord build the query:
# With a positional placeholder:
#data.custom_attribute_values.where('value_string = ?', 'Single')
# Or a named placeholder:
#data.custom_attribute_values.where('value_string = :s', s: 'Single')
# Or most idiomatic:
#data.custom_attribute_values.where(value_string: 'Single')
I am searching for a solution to just and only consider real forex pairs in my loop. I don't want CFDs, commodities, silver, gold, etc. to be included because they have a complete different logic when it comes to calculating pips etc. etc. (I want to use the data for a FX dashboard).
How can I implement a filter to do so without building if-statements for every FX pair existing?
If possible, the solution should be independent of the broker used (since the offered FX pairs might be different from broker to broker, so a common approach would be the all-in solution).
This is my current code that doesn't seperate between fx and non fx:
/*
2.) Create a string format for each pending and running trade
*/
int live_orders = OrdersTotal();
string live_trades = "";
for(int i=live_orders; i >= 0; i--)
{
if(OrderSelect(i,SELECT_BY_POS)==false) continue;
live_trades = live_trades +
"live_trades|" +
version + "|" +
DID + "|" +
AccountNumber() + "|" +
IntegerToString(OrderTicket()) + "|" +
TimeToString(OrderOpenTime(), TIME_DATE|TIME_SECONDS) + "|" +
TimeToString(OrderCloseTime(), TIME_DATE|TIME_SECONDS) + "|" +
IntegerToString(OrderType()) + "|" +
DoubleToString(OrderLots(),2) + "|" +
OrderSymbol() + "|" +
DoubleToString(OrderOpenPrice(),5) + "|" +
DoubleToString(OrderClosePrice(),5) + "|" +
DoubleToString(OrderStopLoss(),5) + "|" +
DoubleToString(OrderTakeProfit(),5) + "|" +
DoubleToString(OrderCommission(),2) + "|" +
DoubleToString(OrderSwap(),2) + "|" +
DoubleToString(OrderProfit(),2) + "|" +
"<" + OrderComment() + ">|";
}
This is probably the easiest way. Prefix symbols might be a problem (e.g. mEURUSD) but easily solved by shifting the StringSubstr values by the prefix size. Suffix is not a problem as we take the first 6 chars of the symbol string.
const string FX_CURRENCIES[]={"EUR","GBP","USD","NZD","AUD","CHF","CAD","JPY"};//add other currencies if needed
bool isFxPair(const string symbol){
return StringLen(symbol)>=6 && getCurrencyIdx(StringSubStr(symbol,0,3))>=0 &&
getCurrencyIdx(StringSubStr(symbol,3,3))>=0;
}
int getCurrencyIdx(const string smb){
for(int i=ArraySize(FX_CURRENCIES)-1;i>=0;i--){
if(FX_CURRENCIES[i]==smb)
return i;
}
return -1;
}
Use of CStringArray and caching FX symbols might be another good idea that may potentially work faster, but it seems to use the similar logic as above(but you'll have to sort the cache every time you add something in order to have CStringArray collection to work fast).
There is no direct method to ask whether a symbol is FX, CFD, Stock, Crypto or anything else.
I am trying to process the results of an array into a string to pass for a search. I want to build a string from the array that would look something like
("categories.name like '%Forms%' or categories.name like '%Apples%'")
serialize :category, JSON
if category.count > 1 && category.index != 0
$search_global.category.each do |cat_name|
cat_name.slice '" '
# cat_name
$array_count = $array_count + 1
if cat_name != ''
$inside_count = $inside_count +1
$cat_name_2 = "categories.name like %" + $cat_name_2 + cat_name + "% or " + $inside_count.to_s
end
end
end
If I select one item, it works fine as in
categories.name like %Forms% or 1
Please note that I am including the inside count just to get a better idea of what is happening.
The problem I have is when I select 2 or more items. categories.name like % is repeated twice and then the array items or listed as in
categories.name like %categories.name like %Calendar% or 1Forms% or 2
I can't seem to figure out why the concatenation isn't working as I expected.
$cat_name_2 = "categories.name like %" + $cat_name_2 + cat_name + "% or " + $inside_count.to_s
Your are using $cat_name_2 as the asignee as well as inside the assignment statement.
I'm trying to calculate a hash for a payment form but I get the error:
no implicit conversion of Fixnum into String
so I interpret this that I'm trying to do math calculation on what is text. But how should I correct my code?
The instructions from the payment merchant are:
hash = SHA1(salt + "|" + description + "|" + amount + "|" + currency +
"|" + transaction_type)
So in my controller I have:
def checkout
#organization = Organization.new(organizationnew_params)
if #organization.save
#organization.members.each do |single_member|
single_member.send_activation_email
end
#amount = 100.00
#currency = "EUR"
#description = #organization.id
#transaction_description = "My description"
#transaction_type = "S"
### LINE BELOW HAS THE HASH, WHICH REFERS TO THE PRIVATE METHOD BELOW ###
#hash = hash(#description, #amount, #currency, #transaction_type)
render 'checkout'
else
render 'new_premium'
end
end
private
def hash(description, amount, currency, transaction_type)
#hash = SHA1(SALT + "|" + description + "|" + amount + "|" + currency + "|" + transaction_type)
end
In an initializer I have defined SALT (as well as my merchant_id which is used in the form that is posted to the merchant in the checkout view).
Writing this will be better.
hash = SHA1([salt, description, amount.to_s, currency,transaction_type].join("|"))
You interpreted it wrongly, it's the other way round. You're trying to use a number as a string.
Try to explicitely convert the number in to a string, like so:
#hash = SHA1(SALT + "|" + description + "|" + amount.to_s + "|" + currency + "|" + transaction_type)
As I don't know what all the variables' types are, you might have to add another to_s to a non-string.
The error indicates that you are adding a number to a string, I think the problem is that "amount" is a number which you are adding to a string. you just have to change that:
#hash = SHA1(SALT + "|" + description + "|" + amount.to_s + "|" + currency + "|" + transaction_type)
the :to_s method will convert amount into string. (if there are other numbers just do the same.)
Or you can do this with string interpolation:
#hash = SHA1("#{SALT}|#{description}|#{amount}|#{currency}|#{transaction_type}")
s is hashes of array
relativebase = s.pluck(:base_point).inject(:+) + s.pluck(:distance_point).inject(:+) + s.pluck(:speed_point).inject(:+) + s.pluck(:frequency_point).inject(:+) + s.pluck(:quality_point).inject(:+)
This is calling the database four times which I want to do in one single query. How can i get this.
Something like:
User.select(:a, :b, :c, :d).all.inject([]) { |res, e| res << e.a; res << e.b; res << e.c; res << e.d; res }
Rails 4 supports multiple names in pluck:
relativebase = s.pluck(:base_point,
:distance_point,
:speed_point,
:frequency_point).inject(0) do |sum, (bp, dp, sp, fp)|
sum + bp + dp + sp + fp
end
Actually I personally think that it is probably better to calculate the sum in the database, but I'm not sure how to do that elegantly in rails:
SELECT SUM(base_point + distance_point + speed_point + frequency_point) FROM s