防止在 Rails 中注入 sql [英] prevent sql injection in rails

问题描述

我正在使用以下查询在谷歌地图上查找最近的位置.它是否不受 Sql 注入的影响.如果没有，谁能帮我摆脱它.

I am using the following query to find nearest locations google maps. Is it immune to the Sql injection. If not can anyone help me to get rid of it.

AlphaCourses.find_by_sql("SELECT *,(  6371 * acos( cos( radians( #{@latitude} ) ) * cos( radians( latitude ) ) * cos( radians( longitude ) - radians( #{@longitude} ) ) + sin( radians( #{@latitude} ) ) * sin( radians( latitude ) ) ) ) AS distance FROM alpha_courses HAVING distance <= #{@radius} ORDER BY distance LIMIT 200")

提前致谢.

推荐答案

来自:http://guides.rubyonrails.org/active_record_querying.html#pure-string-conditions

此代码

....("orders_count = ?", params[:orders])

比这个代码更可取:

....("orders_count = #{params[:orders]}")

因为参数安全.将变量直接放入条件字符串将变量按原样传递给数据库.这意味着它将是直接来自用户的未转义变量可能有恶意.如果你这样做，你就把你的整个数据库存在风险，因为一旦用户发现他或她可以利用您的数据库，他们几乎可以做任何事情.从来没有放您的参数直接在条件字符串中.

because of argument safety. Putting the variable directly into the conditions string will pass the variable to the database as-is. This means that it will be an unescaped variable directly from a user who may have malicious intent. If you do this, you put your entire database at risk because once a user finds out he or she can exploit your database they can do just about anything to it. Never ever put your arguments directly inside the conditions string.

将此应用到您的示例中！

Apply this to your example!

这篇关于防止在 Rails 中注入 sql的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！