我正在构建一个像这样的Ecto查询:
from item in query,
where: like(item.description, ^"%#{text}%")
我担心这会允许SQL注入text.在尝试修复之前,我想看看查询是如何实际发送到数据库的.
如果我检查查询或查看记录的内容,我会看到一些SQL,但它无效.
例如,检查查询向我显示:
{"SELECT i0.\"id\", i0.\"store_id\", i0.\"title\", i0.\"description\"
FROM \"items\" AS i0 WHERE (i0.\"description\" LIKE $1)",
["%foo%"]}
当我将此查询传递给Repo.all它时,它记录下来:
SELECT i0."id", i0."store_id", i0."title", i0."description"
FROM "items" AS i0 WHERE (i0."description" LIKE $1) ["%foo%"]
但是如果我复制并粘贴它psql,PostgreSQL会给我一个错误:
错误:42P02:没有参数$ 1
似乎Ecto实际上可能正在进行参数化查询,如下所示:
PREPARE bydesc(text) AS SELECT i0."id",
i0."store_id", i0."title", i0."description"
FROM "items" AS i0 WHERE (i0."description" LIKE $1);
EXECUTE bydesc('foo');
如果是这样,我认为这会阻止SQL注入.但我只是猜测这就是Ecto的作用.
如何查看Ecto正在执行的实际SQL?