在
Ruby on Rails中,对于条件,很容易进行防sql注入查询:
:conditions => ["title = ?",title]
标题来自外部,从Web表单或类似的东西.
:select => "\"#{title}\" AS title" # I do have something like this in one instance
:joins => ["LEFT JOIN blah AS blah2 ON blah2.title = \"#{title}\""]
有没有办法妥善逃脱这些字符串?
解决方法
通常在Rails中,连接作为代表id连接的符号(或作为二阶连接的散列)完成,您可以使用条件将其过滤.如果需要这样做,可以使用ActiveRecord的
sanitize_sql_array来清理sql字符串,如下所示:
sanitize_sql_array(["LEFT JOIN blah AS blah2 ON blah2.title = ?",@blah.title])