在自定义条件下清理 SQL

发布于 2024-07-27 17:55:16 字数 573 浏览 5 评论 0原文

我需要创建一个简单的搜索，但我无法使用 Sphinx。

这是我写的：


keywords = input.split(/\s+/)
queries = []

keywords.each do |keyword|
  queries << sanitize_sql_for_conditions(
              "(classifications.species LIKE '%#{keyword}%' OR 
               classifications.family LIKE '%#{keyword}%' OR 
               classifications.trivial_names LIKE '%#{keyword}%' OR
               place LIKE '%#{keyword}%')")
end

options[:conditions] = queries.join(' AND ')

现在，sanitize_sql_for_conditions 不起作用！它返回只是返回原始字符串。

如何重写这段代码来逃避恶意代码？

原文

I need to create a simple search but I can't afford to use Sphinx.

Here's what I wrote:


keywords = input.split(/\s+/)
queries = []

keywords.each do |keyword|
  queries << sanitize_sql_for_conditions(
              "(classifications.species LIKE '%#{keyword}%' OR 
               classifications.family LIKE '%#{keyword}%' OR 
               classifications.trivial_names LIKE '%#{keyword}%' OR
               place LIKE '%#{keyword}%')")
end

options[:conditions] = queries.join(' AND ')

Now, sanitize_sql_for_conditions does NOT work! It returns simply returns the original string.

How can I rewrite this code to escape malicious code?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

转角预定愛 2024-08-03 17:55:16

如果将“#{keyword}”替换为“？”，则可以执行类似的操作。使用问号将自动清理 SQL。

keywords = input.split(/\s+/)
queries = []
vars = []

keywords.each do |keyword|
  queries << "(classifications.species LIKE '%?%' OR 
               classifications.family LIKE '%?%' OR 
               classifications.trivial_names LIKE '%?%' OR
               place LIKE '%?%')"
  vars = vars << keyword << keyword << keyword << keyword
end

options[:conditions] = [queries.join(' AND '), vars].flatten

If you replace the "#{keyword}" with a "?", you can do something like this. Using the question mark will automatically sanitize SQL.

keywords = input.split(/\s+/)
queries = []
vars = []

keywords.each do |keyword|
  queries << "(classifications.species LIKE '%?%' OR 
               classifications.family LIKE '%?%' OR 
               classifications.trivial_names LIKE '%?%' OR
               place LIKE '%?%')"
  vars = vars << keyword << keyword << keyword << keyword
end

options[:conditions] = [queries.join(' AND '), vars].flatten

回复收藏 0 原文

旧竹 2024-08-03 17:55:16

我在 ActiveRecord 中使用了很多自定义条件，但我喜欢将它们打包在条件数组数组中，然后使用 ? 组合它们。 value 让 AR 自动对它们进行消毒：

conditions = Array.new
conditions << ["name = ?", "bob"]
conditions << ["(created_at > ? and created_at < ?)", 1.year.ago, 1.year.from_now]  

User.find(:first, :conditions => combine_conditions(conditions))

 def combine_conditions(somearray) # takes an array of condition set arrays and reform them into a AR-compatible condition array
   conditions = Array.new
   values = Array.new
   somearray.each do |conditions_array|
     conditions << conditions_array[0] # place the condition in an array
     # extract values
     for i in (1..conditions_array.size - 1)
       values << conditions_array[i]
     end 
   end
   [conditions.join(" AND "), values].flatten
 end

I use a lot of custom conditions in ActiveRecord, but I like to package them in an array of condition arrays, then combine 'em, using the ? value lets AR santize them automatically:

conditions = Array.new
conditions << ["name = ?", "bob"]
conditions << ["(created_at > ? and created_at < ?)", 1.year.ago, 1.year.from_now]  

User.find(:first, :conditions => combine_conditions(conditions))

 def combine_conditions(somearray) # takes an array of condition set arrays and reform them into a AR-compatible condition array
   conditions = Array.new
   values = Array.new
   somearray.each do |conditions_array|
     conditions << conditions_array[0] # place the condition in an array
     # extract values
     for i in (1..conditions_array.size - 1)
       values << conditions_array[i]
     end 
   end
   [conditions.join(" AND "), values].flatten
 end

回复收藏 0 原文

~没有更多了~