After following your series I have all my zipcode data loaded and read to go. Now I just need to know how to draw the polygons to a map. So my vote is for a visualization tools series.

Thanks.

You’re right in that I’ve kind of glossed over the security issues in this article. I’m assuming that, generally, you may not trust the *data* that you’re injecting, but at least you’re trusting the *Ruby objects* (i.e. their types, to_s behavior, etc.), since chances are the objects themselves are being created by you, or at least by Rails. In that case, correct me if I’m wrong, but I believe quoting should be sufficient. If the objects are being handed to you by an untrusted source, then yes, you’ll need to sanitize them before indiscriminately creating custom SQL.

Using prepared statements really isn’t a panacea for this, as far as I know. I believe you can still create a malicious object that will bypass quoting and allow SQL injection. Once you can modify code, all bets are off.

Daniel

That little change did the trick.

Use prepared statements indiscriminately and you can rest well; you lose a tiny bit of performance on one-off statements in MySQL, but it’s negligible when compared to the otherwise potential security risk.

Sorry, I got busy last week and your question fell off my radar. My fault.

The ewkb format that you’re passing into ST_GeomFromEWKB is missing the SRID. Now I see that this is because there was a typo in my sample code. I said:

EWKB = RGeo::WKRep::WKBGenerator.new(:type_format => :ewkb, :emit_ewkg_srid => true, :hex_format => true)

That should have been:

EWKB = RGeo::WKRep::WKBGenerator.new(:type_format => :ewkb, :emit_ewkb_srid => true, :hex_format => true)

(:emit_ewkb_srid, not :emit_ewkg_srid). Ugh. I need to proofread better. You’re also right about the “each_geometry”. I’ll get both those fixed in the article.

This might be slightly off topic but do you know how easy it would be to integrate postgres text search in with a geo-spacial app like this? – any example github apps or tutorials anywhere would be great. I’m not finding any so far that contain both search and geo with postgres.

I’m trying to follow your tutorial using Zilliows neighborhood maps. I’m getting
SELECT “neighborhoods”.* FROM “neighborhoods” WHERE (ST_Intersects(region, ST_GeomFromEWKB(E’\\x0000000001c168e64fb493c5ba414d8fa19831dca9′)))
ActiveRecord::StatementInvalid: PGError: ERROR: Operation on mixed SRID geometries

When I would like to do Neighborhood.containing_latlon(32.8440857175,-117.2713740425).
I have the region column SRID set to 3785, Neighborhood class has the simple mercator factory. Migration and importing went without a glitch (Except NoMethodError: undefined method `each_geometry’ for #, which I changed to each).
I found a nice troubleshooting guide at http://ragrawal.wordpress.com/2009/12/08/operations_on_mixed_geometries, I tried the advised solutions, but doesn’t seem to help. Any thoughts on what am I doing wrong?

Thanks