在自定义条件下清理 SQL [英] Sanitize SQL in custom conditions
本文介绍了在自定义条件下清理 SQL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要创建一个简单的搜索,但我负担不起使用 Sphinx.
这是我写的:
<预><代码>关键字 = input.split(/\s+/)查询 = []关键字.每个做|关键字|查询<现在,sanitize_sql_for_conditions 不起作用!它返回只是返回原始字符串.
如何重写此代码以逃避恶意代码?
解决方案
如果将#{keyword}"替换为?",您可以执行以下操作.使用问号会自动清理 SQL.
keywords = input.split(/\s+/)查询 = []变量 = []关键字.每个做|关键字|查询<<"(classifications.species LIKE '%?%' ORcategorys.family LIKE '%?%' 或categorys.trivial_names LIKE '%?%' OR放置 LIKE '%?%')"vars = vars <<关键字<<关键字<<关键字<<关键词结尾options[:conditions] = [queries.join(' AND '), vars].flattenI need to create a simple search but I can't afford to use Sphinx.
Here's what I wrote:
keywords = input.split(/\s+/)
queries = []
keywords.each do |keyword|
queries << sanitize_sql_for_conditions(
"(classifications.species LIKE '%#{keyword}%' OR
classifications.family LIKE '%#{keyword}%' OR
classifications.trivial_names LIKE '%#{keyword}%' OR
place LIKE '%#{keyword}%')")
end
options[:conditions] = queries.join(' AND ')
Now, sanitize_sql_for_conditions does NOT work! It returns simply returns the original string.
How can I rewrite this code to escape malicious code?
解决方案
If you replace the "#{keyword}" with a "?", you can do something like this. Using the question mark will automatically sanitize SQL.
keywords = input.split(/\s+/)
queries = []
vars = []
keywords.each do |keyword|
queries << "(classifications.species LIKE '%?%' OR
classifications.family LIKE '%?%' OR
classifications.trivial_names LIKE '%?%' OR
place LIKE '%?%')"
vars = vars << keyword << keyword << keyword << keyword
end
options[:conditions] = [queries.join(' AND '), vars].flatten
这篇关于在自定义条件下清理 SQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
