相关疑难解决方法(0)

我需要创建一个简单的搜索,但我不能使用Sphinx.

这是我写的:

keywords = input.split(/\s+/)
queries = []

keywords.each do |keyword|
  queries << sanitize_sql_for_conditions(
              "(classifications.species LIKE '%#{keyword}%' OR 
               classifications.family LIKE '%#{keyword}%' OR 
               classifications.trivial_names LIKE '%#{keyword}%' OR
               place LIKE '%#{keyword}%')")
end

options[:conditions] = queries.join(' AND ')

现在,sanitize_sql_for_conditions不起作用!它返回只返回原始字符串.

如何重写此代码以逃避恶意代码？