On Fri, Jan 10, 2014 at 3:14 PM, Colin Taylor <cjntay...@gmail.com> wrote:
> I'm trying to build a web application for data analysis. The > client can send ad-hoc queries to my back-end data service. I would advise you question the need for this. Not because it's difficult in Rails, but for security. Imagine what someone with evil intents could do. He could delete your data, or worse yet just alter it so the answers are wrong. He could fill up your database, and if there aren't limits on that, then maybe your whole disk. Depending what DBMS you're using, *maybe* there's some way to make it read-only. Alternately, maybe there's some gem that will sanitize it for you. IWCTW, you could take the more difficult approach of letting them specify what variable(s) need to be in what range, what tables to join on, etc. -Dave -- Dave Aronson, the T. Rex of Codosaurus LLC (codosaur.us), freelance software developer, and creator of these sites: PullRequestRoulette.com, blog.codosaur.us, & Dare2XL.com. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAHxKQiimv7p2fCyZFzK1A60-mJ9__kmizh7aTqBE0aV14TWQng%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
