[英]How can I prevent SQL injection in following rails query?
數據是以下語句中的參數:
condition = params["id"].present? ? "employers.status = '#{params["id"].upcase}' and employers.task = '#{data.upcase}'" : "employers.task.rdu = '#{data.upcase}'"
首先不使用 SQL 字符串。 您可以通過傳遞 hash 來創建WHERE
子句:
condition = begin do
if params[:id].present?
Employer.where(
status: params[:id].upcase,
task: data.upcase
)
else
# I have no idea what you're doing with employers.task.rdu
Employer.where(
"task.rdu" => data.upcase
)
end
end
如果您絕對覺得需要使用 SQL 字符串,請使用占位符而不是字符串插值:
Employer.where(
"employers.status = ? and employers.task = ?", params[:id].upcase, data.upcase
)
Employer.where(
"employers.status = :status and employers.task = :task",
status: params[:id].upcase,
task: data.upcase
)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.