在像'%#{argument}%这样的漏洞上,ruby sql注入易受攻击?
[英]ruby on rails sql injection on LIKE '%#{argument}% vulnerable?
问题描述
I have a question about ruby on rails sql injection vulnerability. 
我有一个关于ruby on rails sql注入漏洞的问题。 let's say i have a method like this: 假设我有一个这样的方法:
def self.search(args)
where_clause = `items`.`name` LIKE '%#{args}%'
results = Item::where(where_clause)
return results
end
where args is a value passed in from the search box. 其中args是从搜索框中传入的值。 is this vulnerable to attack? 这容易受到攻击吗? My initial thought was that this would be vulnerable to attack, however, after trying a few queries, I wasn't able to. 我最初的想法是,这很容易受到攻击,但是,尝试了几次查询后,我却无法做到。
Is there something special about LIKE '%%' that makes it impervious to attack? LIKE'%%'有什么特别之处,可以使其不受攻击吗?
Thanks! 谢谢!
1 个解决方案
解决方案1
0 2015-01-27 23:44:09
为了安全起见,我通常这样做:
Item.where("name LIKE ?", "%#{args}%")
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.