如何使用“?” 在Ruby On Rails中选择MySQL中的符号?
[英]How to use the '?' symbol in a MySQL select in Ruby On Rails?
问题描述
I need to get the pertinence of a MySQL Fulltext search in my Rails 4.2 app. 
我需要在Rails 4.2应用程序中获得MySQL全文搜索的针对性。 So I need an alias (pertinence) in the select clause. 所以我需要在select子句中使用别名(相关性)。
The problem is to use the '?' 问题是使用'?' symbol as in a where clause, but in a select: 符号与where子句中相同,但在select中:
Model.select("articles.*, MATCH (name) AGAINST (? IN BOOLEAN MODE) AS pertinence", @search).where(...).order("pertinence DESC")
If I do: 如果我做:
Model.select('articles.*, MATCH (name) AGAINST ("' + @search + '" IN BOOLEAN MODE) AS pertinence').where(...).order("pertinence DESC")
I can have issues with quotes in @search (no sanitization) and SQL injection. 我可能在@search(无消毒)和SQL注入中出现引号问题。
So how to perform this kind of queries with Active Record ? 那么如何使用Active Record执行这种查询呢?
Thanks 谢谢
1 个解决方案
解决方案1
1 已采纳 2016-02-17 04:42:38
You can manually sanitize the search parameter. 您可以手动清理搜索参数。
search_param = ActiveRecord::Base::sanitize(@search)
Model.select("articles.*, MATCH (name) AGAINST (#{search_param} IN BOOLEAN MODE) AS pertinence").where(...).order("pertinence DESC")
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.