Using Erb inside SQL fiields

Hi,

So I have a basic CMS I'm working on where a page has a title and a
body field. The body field is just plain html stored as text in the
SQL database.

I have two questions/concerns:

1) how do I get erb to work from within the SQL text entry? For
instance, one of my pages has an image_tag helper method in it that
doesn't work.

2) Is this a secure way to do this? Am I creating a security
vulnerability by organizing my content this way?

Thanks!

Ron

Hi,

So I have a basic CMS I'm working on where a page has a title and a
body field. The body field is just plain html stored as text in the
SQL database.

I have two questions/concerns:

1) how do I get erb to work from within the SQL text entry? For
instance, one of my pages has an image_tag helper method in it that
doesn't work.

You could try messing with render :inline, or I suppose call Erb
directly

2) Is this a secure way to do this? Am I creating a security
vulnerability by organizing my content this way?

Well the user could upload <% system("rm -rf/") %> or <%
ActiveRecord::Base.connection.execute("delete all from foos")%> so no,
not very safe.
You might be interested in liquid (http://www.liquidmarkup.org/) a
templating language that was designed with that sort of problem in mind.

Fred

Thanks, Fred. The ability to edit the SQL is behind a hashed login.
So the set of users looking at this would not type in something like
that. Although I suppose even leaving that possibility open isn't a
good practice.

Liquid markup looks really interesting. I'll have to try that out.

Ron