rails 3 activerecord order - 什么是正确的 sql 注入工作? [英] rails 3 activerecord order - what is the proper sql injection work around?

问题描述

假设我有一个用户列表页面，您可以按不同的列进行排序，当单击电子邮件"时，它将通过 sort_by=email sort_direction=asc 或 desc

let us say I have a list page of users and you can sort by the different columns, when clicking 'email' it will pass sort_by=email sort_direction=asc or desc

sort_by = "email" # really params[:sort_by]
sort_direction = "asc" # really params[:sort_direction]
User.order("#{sort_by} #{sort_direction}")
# SELECT "users".* FROM "users" ORDER BY email asc

所以它按预期工作，但是如果我们改变 sort_by

so that works as expected, however if we change the sort_by

sort_by = "email; DELETE from users; --"
User.order("#{sort_by} #{sort_direction}")
# SELECT "users".* FROM "users" ORDER BY email; DELETE from users; -- asc

现在我们没有更多用户了:(

now we have no more users :(

我可以手动构建有效 sort_by 的白名单并将 params[:sort_by] 与它进行比较，但希望有一些内置的方法来处理这种事情

I can manually build a whitelist of valid sort_by and compare params[:sort_by] to that, but was hoping there is some built in way to handle this kind of thing

推荐答案

Ryan Bates 的方法:

Ryan Bates' method:

在您的控制器中:

def index
  @users = User.order(sort_by + " " + direction)
end

private
  def sort_by
    %w{email name}.include?(params[:sort_by]) ? params[:sort_by] : 'name'
  end

  def direction
    %w{asc desc}.include?(params[:direction]) ? params[:direction] : 'asc'
  end

本质上您是在制作白名单，但它很容易做到并且不易被注入.

Essentially you're making a whitelist, but it's easy to do and insusceptible to injection.

这篇关于rails 3 activerecord order - 什么是正确的 sql 注入工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！