需要避免在Rails3中进行SQL注入 [英] Need to avoid SQL Injection in Rails3

问题描述

我需要通过避免在Rails 3中进行SQL注入来重写以下代码。

I need the following code to be rewritten by avoiding SQL Injection in Rails 3.

some_table_name.joins("inner join #{table_name} on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = #{table_name}.id").
        where("#{table_name}.saved is true and #{table_name}.deleted_at is null")

在这里，table_name是动态的，并且会变化。

Here, table_name is dynamic and it will vary.

推荐答案

最后，我不得不像上面这样重写我的查询此

Finally, I had to rewrite my above query like this

some_table_name.joins(self.class.superclass.send(:sanitize_sql_array,"inner join #{table_name} as t1 on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = t1.id")).
          where("t1.saved is true and t1.deleted_at is null")

此处， self.class.superclass是 ActiveRecord :: Base

Here, 'self.class.superclass' is 'ActiveRecord::Base'

这篇关于需要避免在Rails3中进行SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！