Rails,如何清理 find_by_sql 中的 SQL [英] Rails, how to sanitize SQL in find_by_sql
问题描述
有没有办法在rails方法find_by_sql
中清理sql?
Is there a way to sanitize sql in rails method find_by_sql
?
我已经尝试过这个解决方案:Ruby on Rails:不使用 find 时如何为 SQL 清理字符串?
I've tried this solution: Ruby on Rails: How to sanitize a string for SQL when not using find?
但它失败了
Model.execute_sql("Update users set active = 0 where id = 2")
它抛出一个错误,但执行了 sql 代码并且 ID 为 2 的用户现在拥有一个禁用的帐户.
It throws an error, but sql code is executed and the user with ID 2 now has a disabled account.
简单的 find_by_sql
也不起作用:
Simple find_by_sql
also does not work:
Model.find_by_sql("UPDATE user set active = 0 where id = 1")
# => code executed, user with id 1 have now ban
好吧,我的客户要求在管理面板中创建该功能(通过 sql 选择)以进行一些复杂的查询(连接、特殊条件等).所以我真的很想找到_by_sql那个.
Well my client requested to make that function (select by sql) in admin panel to make some complex query(joins, special conditions etc). So I really want to find_by_sql that.
第二次
我想实现不执行邪恶"的 SQL 代码.
I want to achieve that 'evil' SQL code won't be executed.
在管理面板中,您可以输入 query -> Update users set admin = true where id = 232
并且我想阻止任何 UPDATE/DROP/ALTER SQL 命令.只是想知道,在这里你只能执行 SELECT.
In admin panel you can type query -> Update users set admin = true where id = 232
and I want to block any UPDATE / DROP / ALTER SQL command.
Just want to know, that here you can ONLY execute SELECT.
经过一些尝试,我得出结论 sanitize_sql_array
不幸的是不要这样做.
After some attempts I conclude sanitize_sql_array
unfortunatelly don't do that.
有没有办法在 Rails 中做到这一点??
Is there a way to do that in Rails??
抱歉造成混乱..
推荐答案
试试这个:
connect = ActiveRecord::Base.connection();
connect.execute(ActiveRecord::Base.send(:sanitize_sql_array, "your string"))
您可以将其保存在变量中并用于您的目的.
You can save it in variable and use for your purposes.
这篇关于Rails,如何清理 find_by_sql 中的 SQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!