JZ.*_*JZ. 1 mysql activerecord sanitization ruby-on-rails
我正在使用find_by_sql方法,我不确定我所做的是否安全?如果不是我怎么能消毒我的变量?
Table.find_by_sql("SELECT * FROM TABELS
WHERE table.`table_id` = '#{params[:table]}'
and insights.`created_at` >= '#{@stime}'
and insights.`created_at` <= '#{@etime}'
GROUP BY places.`id`
ORDER BY sum(insights.`checkins`) DESC").paginate(:page => params[:page], :per_page => Place.per_page)
您的SQL目前不安全.改为:
Table.find_by_sql(["SELECT * FROM TABLES
WHERE table.`table_id` = '?'
and insights.`created_at` >= '?'
and insights.`created_at` <= '?'
GROUP BY places.`id`
ORDER BY sum(insights.`checkins`) DESC",
params[:table],
@stime,
@etime]).
paginate(:page => params[:page], :per_page => Place.per_page)
请注意,find_by_sql的参数是一个数组:第一个元素是SQL字符串,其余的是参数.
| 归档时间: |
|
| 查看次数: |
410 次 |
| 最近记录: |