Chr*_*dau 5 sql ruby-on-rails prepared-statement
据我所知,应该可以在Rails中执行以下操作:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
但遗憾的是,这根本不起作用.任何格式我尝试使用时,$1并$2永远不会从绑定数组的相应值取代.
还有什么我应该照顾的吗?
您应该sanitize_sql_array在模型中使用,如下所示:
r = self.sanitize_sql_array(["SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=? AND created<=? GROUP BY month ORDER BY month ASC", created1, created2])
self.connection.select_all r
这可以保护您免受 SQL 注入。
Par*_*ngh -14
我不明白您是否尝试使用变量,但是是的,使用变量很容易,您错误地使用了它们
像这样使用它:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=#{v1} AND created<=#{v2} GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
其中 v1 和 v2 是变量。如果您正在尝试其他事情,请告诉我
谢谢
| 归档时间: |
|
| 查看次数: |
5135 次 |
| 最近记录: |