需要避免在Rails3中进行SQL注入 [英] Need to avoid SQL Injection in Rails3
本文介绍了需要避免在Rails3中进行SQL注入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要通过避免在Rails 3中进行SQL注入来重写以下代码。
I need the following code to be rewritten by avoiding SQL Injection in Rails 3.
some_table_name.joins("inner join #{table_name} on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = #{table_name}.id").
where("#{table_name}.saved is true and #{table_name}.deleted_at is null")
在这里,table_name是动态的,并且会变化。
Here, table_name is dynamic and it will vary.
推荐答案
最后,我不得不像上面这样重写我的查询此
Finally, I had to rewrite my above query like this
some_table_name.joins(self.class.superclass.send(:sanitize_sql_array,"inner join #{table_name} as t1 on linked_config_items.linked_type = '#{class_name}' and linked_config_items.linked_id = t1.id")).
where("t1.saved is true and t1.deleted_at is null")
此处, self.class.superclass是 ActiveRecord :: Base
Here, 'self.class.superclass' is 'ActiveRecord::Base'
这篇关于需要避免在Rails3中进行SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文