ruby on rails为oracle视图/函数准备的语句

Question

I have the following code which executes an oracle view as follows: 我有以下代码，该代码执行如下的oracle视图：

def run_query
    connection.exec_query(
      "SELECT * FROM TABLE(FN_REQRESP(#{type_param},
                                      #{search_type_param},
                                      #{tid_param},
                                      #{last_param},
                                      #{key_param},
                                      #{tran_id_param},
                                      #{num_param},
                                      #{start_date_param},
                                      #{end_date_param}))")
end

The output of the above query is as follows: 以上查询的输出如下：

SELECT * FROM TABLE(FN_REQRESP('ALL',
 'ALL_TRAN',
 '100007',
 '',
 '',
 '',
 '',
 TO_DATE('27-January-2017','dd-MON-yy'),
 TO_DATE('31-January-2017','dd-MON-yy')))

The problem is that above query has a SQL injection vulnerability. 问题在于上述查询具有SQL注入漏洞。

So, i tried to add a prepare statement as follows: 因此，我尝试添加一个prepare语句，如下所示：

 connection.exec_query('SELECT * FROM TABLE(FN_REQRESP(?,?,?,?,?,?,?,?,?))','myquery',[type_param,search_type_param,tid_param,last_param,key_param,tran_id_param,num_param,start_date_param,end_date_param])

I get the following error now: 我现在收到以下错误：

NoMethodError: undefined method `type' for "'ALL'":String: SELECT * FROM TABLE(FN_REQRESP(?,?,?,?,?,?,?,?,?)) NoMethodError：“'ALL'”的未定义方法“ type”：字符串：SELECT * FROM TABLE（FN_REQRESP（？，？，？，？，？，？，？，？，？））

It's the single quotes that messing it up I beleive. 我相信这是单引号。 Is there a way to overcome this? 有办法克服吗？

EDIT: I tried NDN's answer and the error below: 编辑：我尝试了NDN的答案和以下错误：

OCIError: ORA-00907: missing right parenthesis: SELECT * FROM TABLE(FN_REQRESP('\'ALL\'',
                                      '\'ALL_TRAN\'',
                                      '\'100007\'',
                                      '\'\'',
                                      '\'\'',
                                      '\'\'',
                                      '\'\'',
                                      'TO_DATE(\'01-February-2017\',\'dd-MON-yy\')',
                                      'TO_DATE(\'10-February-2017\',\'dd-MON-yy\')'))

Answer 1

Looking at the source , binds gets cast in some magical way and you have to pass a named prepare: true argument as well. 从源头来看， binds会以某种神奇的方式进行转换，并且您还必须传递一个命名的prepare: true参数。

It also used to work differently in older versions . 在旧版本中，它的工作方式也有所不同。

To save yourself the trouble, you can simply use #sanitize : 为了避免麻烦，您只需使用#sanitize ：

params = {
  type:        type_param,
  search_type: search_type_param,
  tid:         tid_param,
  last:        last_param,
  key:         key_param,
  tran_id:     tran_id_param,
  num:         num_param,
  start_date:  start_date_param,
  end_date:    end_date_param,
}

params.each do |key, param|
  params[key] = ActiveRecord::Base.sanitize(param)
end

connection.exec_query(
  "SELECT * FROM TABLE(FN_REQRESP(#{params[:type]},
                                  #{params[:search_type]},
                                  #{params[:tid]},
                                  #{params[:last]},
                                  #{params[:key]},
                                  #{params[:tran_id]},
                                  #{params[:num]},
                                  #{params[:start_date]},
                                  #{params[:end_date]}))"
)

Answer 2

This is called Prepared Statement. 这称为准备语句。 In doc you can find an example how to use it. 在doc中，您可以找到如何使用它的示例。

ruby on rails为oracle视图/函数准备的语句

问题描述

2 个解决方案

解决方案1
3 2017-02-07 22:45:09

解决方案2
0 2017-02-13 09:46:22

ruby on rails为oracle视图/函数准备的语句

问题描述

2 个解决方案

解决方案1 3 2017-02-07 22:45:09

解决方案2 0 2017-02-13 09:46:22

解决方案1
3 2017-02-07 22:45:09

解决方案2
0 2017-02-13 09:46:22