col*_*rco 2 sql ruby-on-rails sanitize
我需要创建一个简单的搜索,但我不能使用Sphinx.
这是我写的:
keywords = input.split(/\s+/)
queries = []
keywords.each do |keyword|
queries << sanitize_sql_for_conditions(
"(classifications.species LIKE '%#{keyword}%' OR
classifications.family LIKE '%#{keyword}%' OR
classifications.trivial_names LIKE '%#{keyword}%' OR
place LIKE '%#{keyword}%')")
end
options[:conditions] = queries.join(' AND ')
现在,sanitize_sql_for_conditions不起作用!它返回只返回原始字符串.
如何重写此代码以逃避恶意代码?
如果将"#{keyword}"替换为"?",则可以执行以下操作.使用问号将自动清理SQL.
keywords = input.split(/\s+/)
queries = []
vars = []
keywords.each do |keyword|
queries << "(classifications.species LIKE '%?%' OR
classifications.family LIKE '%?%' OR
classifications.trivial_names LIKE '%?%' OR
place LIKE '%?%')"
vars = vars << keyword << keyword << keyword << keyword
end
options[:conditions] = [queries.join(' AND '), vars].flatten