如何防止 SQL 在以下轨道查询中注入?
[英]How can I prevent SQL injection in following rails query?
问题描述
Data is a param in the below statement:
数据是以下语句中的参数:
condition = params["id"].present? ? "employers.status = '#{params["id"].upcase}' and employers.task = '#{data.upcase}'" : "employers.task.rdu = '#{data.upcase}'"
1 个解决方案
解决方案1
1 2021-04-21 18:47:13
By not using a SQL string in the first place.首先不使用 SQL 字符串。 You can create a WHERE clause by passing a hash instead:您可以通过传递 hash 来创建WHERE子句:
condition = begin do
if params[:id].present?
Employer.where(
status: params[:id].upcase,
task: data.upcase
)
else
# I have no idea what you're doing with employers.task.rdu
Employer.where(
"task.rdu" => data.upcase
)
end
end
If you absolutely feel that you need to use a SQL string use placeholders instead of string interpolation:如果您绝对觉得需要使用 SQL 字符串,请使用占位符而不是字符串插值:
Employer.where(
"employers.status = ? and employers.task = ?", params[:id].upcase, data.upcase
)
Employer.where(
"employers.status = :status and employers.task = :task",
status: params[:id].upcase,
task: data.upcase
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
这个参数化查询如何防止 SQL 注入? - How can this Parametrized Query Prevent SQL Injection?
如何防止PHP中的SQL注入? - How can I prevent SQL injection in PHP?
如何防止 SQL 注入? - How can I prevent SQL injection?
如何防止sql注入但保留“和”? - How can i prevent sql injection but keep " and '?
如何在Rails中编写以下查询? - How can I write the following query in Rails?
如何在PYTHON-DJANGO中阻止SQL注入? - How can I prevent SQL injection in PYTHON-DJANGO?
如何优化以下SQL查询 - How can I optimize the following SQL query
如何简化以下SQL查询? - How can I simplify the following SQL query?
如何防止Visual Basic 2012中的以下代码上的SQL注入 - How to prevent SQL Injection on following code in Visual Basic 2012
如何从 Laravel 中的 SQL 注入保护这个 sql 查询? - How can I secure this sql query from SQL Injection in Laravel?
相关标签