如何在Rails 4中清理原始SQL [英] How to sanitize raw SQL in Rails 4

问题描述

在Rails 3中，我可以使用 sanitize_sql_array 在需要原始SQL查询的某些情况下清理原始SQL。但这似乎已在Rails 4中删除，或者没有删除太多，而是移至ActiveRecord :: Sanitization。但是，我现在不知道如何调用 sanitize_sql_array ，那么在Rails 4中清理原始SQL的最佳方法是什么？

In Rails 3 I could use sanitize_sql_array to sanitize raw SQL for those occassional moments where a raw SQL query is needed. But this appears to have been removed in Rails 4, or not so much removed, but moved to ActiveRecord::Sanitization. However, I can not figure out how to call sanitize_sql_array now, so what's the best way to sanitize raw SQL in Rails 4?

我想澄清一下，我在这里谈论的是完整的原始SQL查询，而不是使用Rail的模型。我知道这不是最佳做法，这只是我要针对此特定查询执行的操作，因为它无法由Rails的漂亮ActiveRecord接口表示（请相信我，我已经尝试过）。

I want to clarify that I am talking about a full raw SQL query here, not using Rail's models. I'm aware that this is not best practice, this is just what I have to do for this specific query since it can't be represented by Rails's nice ActiveRecord interface (Trust me, I've tried).

这里是一个示例调用，它显然比我的查询实际看起来简单：

Here is a sample call, which is obviously simpler than what my query actually looks like:

query = "SELECT * FROM users 
LEFT OUTER JOIN posts ON users.id=posts.user_id
AND posts.topic_id = '#{topic.id}'" 
# ^- Obviously bad and very vulnerable, this is what we're trying to fix
ActiveRecord::Base.connection.select_all(query)

$ b的目的$ b

推荐答案

如果您确实需要编写原始SQL，则可以使用 quote 进行清理：

If you really need to write raw SQL you can use quote to sanitize it:

conn = ActiveRecord::Base.connection
name = conn.quote("John O'Neil")
title = conn.quote(nil)
query = "INSERT INTO users (name,title) VALUES (#{name}, #{title})"
conn.execute(query)

这篇关于如何在Rails 4中清理原始SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！