本文介绍了需要避免在Rails3中进行SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要通过避免在Rails 3中进行SQL注入来重写以下代码。
I need the following code to be rewritten by avoiding SQL Injection in Rails 3.
some_table_name.joins("inner join #{table_name} on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = #{table_name}.id"). where("#{table_name}.saved is true and #{table_name}.deleted_at is null")在这里,table_name是动态的,并且会变化。
Here, table_name is dynamic and it will vary.
推荐答案最后,我不得不像上面这样重写我的查询此
Finally, I had to rewrite my above query like this
some_table_name.joins(self.class.superclass.send(:sanitize_sql_array,"inner join #{table_name} as t1 on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = t1.id")). where("t1.saved is true and t1.deleted_at is null")此处, self.class.superclass是 ActiveRecord :: Base
Here, 'self.class.superclass' is 'ActiveRecord::Base'
更多推荐
需要避免在Rails3中进行SQL注入
发布评论