I have a question about ruby on rails sql injection vulnerability. let's say i have a method like this:
def self.search(args)
where_clause = `items`.`name` LIKE '%#{args}%'
results = Item::where(where_clause)
return results
end
where args is a value passed in from the search box. is this vulnerable to attack? My initial thought was that this would be vulnerable to attack, however, after trying a few queries, I wasn't able to.
Is there something special about LIKE '%%' that makes it impervious to attack?
Thanks!
为了安全起见,我通常这样做:
Item.where("name LIKE ?", "%#{args}%")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.