本文介绍了在自定义条件下清理 SQL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
现在,sanitize_sql_for_conditions 不起作用!它返回只是返回原始字符串.
我需要创建一个简单的搜索,但我负担不起使用 Sphinx.
这是我写的:
关键字 = input.split(/\s+/)查询 = []关键字.每个做|关键字|查询<如何重写此代码以逃避恶意代码?
解决方案如果将#{keyword}"替换为?",您可以执行以下操作.使用问号会自动清理 SQL.
keywords = input.split(/\s+/)查询 = []变量 = []关键字.每个做|关键字|查询<<"(classifications.species LIKE '%?%' ORcategorys.family LIKE '%?%' 或categorys.trivial_names LIKE '%?%' OR放置 LIKE '%?%')"vars = vars <<关键字<<关键字<<关键字<<关键词结尾options[:conditions] = [queries.join(' AND '), vars].flattenI need to create a simple search but I can't afford to use Sphinx.
Here's what I wrote:
keywords = input.split(/\s+/) queries = [] keywords.each do |keyword| queries << sanitize_sql_for_conditions( "(classifications.species LIKE '%#{keyword}%' OR classifications.family LIKE '%#{keyword}%' OR classifications.trivial_names LIKE '%#{keyword}%' OR place LIKE '%#{keyword}%')") end options[:conditions] = queries.join(' AND ')Now, sanitize_sql_for_conditions does NOT work! It returns simply returns the original string.
How can I rewrite this code to escape malicious code?
解决方案If you replace the "#{keyword}" with a "?", you can do something like this. Using the question mark will automatically sanitize SQL.
keywords = input.split(/\s+/) queries = [] vars = [] keywords.each do |keyword| queries << "(classifications.species LIKE '%?%' OR classifications.family LIKE '%?%' OR classifications.trivial_names LIKE '%?%' OR place LIKE '%?%')" vars = vars << keyword << keyword << keyword << keyword end options[:conditions] = [queries.join(' AND '), vars].flatten
更多推荐
在自定义条件下清理 SQL
发布评论