Rails字符串注入添加引号
[英]Rails string injection adds quotations marks
问题描述
I am trying to enter a letter given by the get request into a Like statment in tails 3. So far I have the following code: 
我正在尝试将由get请求给出的字母输入到尾部3的Like语句中。到目前为止,我具有以下代码:
@entries = Entry.where("key LIKE '?%'", params[:letter]).order(:key)
Problem is it is creating the wrong kind of sql query adding quotation marks around the injected letter. 问题是它正在创建错误类型的sql查询,并在注入的字母周围添加了引号。 it creates the following sql for :letter => 'a': 它为:letter =>'a'创建以下sql:
SELECT "entries".* FROM "entries" WHERE (key LIKE ''a'%') ORDER BY key
Instead of: 代替:
SELECT "entries".* FROM "entries" WHERE (key LIKE 'a%') ORDER BY key
How can I fix this? 我怎样才能解决这个问题?
1 个解决方案
解决方案1
4 已采纳 2012-10-03 22:30:10
@entries = Entry.where("key LIKE ?", "#{params[:letter]}%").order(:key)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
升级到Rails 4.2.0:字符串文字,其中条件包含在引号中 - Upgrade to Rails 4.2.0: string literals in where conditions wrapped into quotation marks
Rails 2数据库模型返回带问号的错误编码字符串 - Rails 2 database model returns bad encoded string with question marks
如何从Rails 1.2.5中的字符串中删除html标记 - How to remove html marks from string in rails 1.2.5
CSV.generate在字符串中添加引号 - CSV.generate adds quotation marks to strings
Rails转义符用于两层报价 - Rails escape characters for two layers of quotations
Rails向查询添加AND(1 = 0) - Rails adds `AND (1=0)` to queries
滑轨。 使用占位符和字符串时,如何从查询条件中删除引号? - Rails. How to remove quotation marks from query conditions when using a placeholder and string?
Rails控制器添加引号 - Rails controller adding quotation marks
轨中的SQL注入 - sql injection in rails
Rails SQL注入漏洞 - Rails SQL injection vulnerability
相关标签