需要避免在Rails3中进行SQL注入

本文介绍了需要避免在Rails3中进行SQL注入的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我需要通过避免在Rails 3中进行SQL注入来重写以下代码。

I need the following code to be rewritten by avoiding SQL Injection in Rails 3.

some_table_name.joins("inner join #{table_name} on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = #{table_name}.id"). where("#{table_name}.saved is true and #{table_name}.deleted_at is null")

在这里，table_name是动态的，并且会变化。

Here, table_name is dynamic and it will vary.

推荐答案

最后，我不得不像上面这样重写我的查询此

Finally, I had to rewrite my above query like this

some_table_name.joins(self.class.superclass.send(:sanitize_sql_array,"inner join #{table_name} as t1 on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = t1.id")). where("t1.saved is true and t1.deleted_at is null")

此处， self.class.superclass是 ActiveRecord :: Base

Here, 'self.class.superclass' is 'ActiveRecord::Base'