Ruby on Rails:不使用 find 时如何清理 SQL 字符串?
我正在尝试清理涉及用户输入的字符串,而不必在可能的情况下手动制作我自己的可能有错误的正则表达式,但是,如果这是唯一的方法,如果有人能给我指出正确的方向,我也会很感激正则表达式不太可能丢失任何东西。 Rails 中有许多方法可以让您输入本机 SQL 命令,人们如何转义这些用户输入?
我问的问题是一个广泛的问题,但在我的特殊情况下,我正在使用 Postgres 数据库中的一列,据我所知,Rails 本身并不理解该列,即 tsvector,它保存纯文本搜索信息。 Rails 能够像字符串一样写入和读取它,但是,与字符串不同的是,当我在模型内执行诸如 vector= 之类的操作时,它似乎不会自动转义。
例如,当我执行 model.name='::' 时,其中 name 是一个字符串,它工作正常。当我执行 model.vector='::' 时,它会出错:
ActiveRecord::StatementInvalid: PGError: ERROR: syntax error in tsvector: "::"
"vectors" = E'::' WHERE "id" = 1
这似乎是由于缺少分号转义而引起的问题,我可以手动设置 vector='::' 就好。
我也有一个好主意,也许我可以这样调用:
ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::"
但是,这种语法不起作用,因为原始 SQL 命令无法访问 find 的使用 ? 转义和输入字符串的方法。标记。
这让我觉得与使用任何类型的用户输入调用 connection.execute 都有同样的问题,因为这一切都归结为清理字符串,但我似乎找不到任何方法来手动调用 Rails 的 SQL 字符串清理方法。有人可以提供任何建议吗?
I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible, however, if that is the only way I would also appreciate if anyone can point me in the right direction to a regex that is unlikely to be missing anything. There are a number of methods in Rails that can allow you to enter in native SQL commands, how do people escape user input for those?
The question I'm asking is a broad one, but in my particular case, I'm working with a column in my Postgres database that Rails does not natively understand as far as I know, the tsvector, which holds plain text search information. Rails is able to write and read from it as if it's a string, however, unlike a string, it doesn't seem to be automatically escaping it when I do things like vector= inside the model.
For example, when I do model.name='::', where name is a string, it works fine. When I do model.vector='::' it errors out:
ActiveRecord::StatementInvalid: PGError: ERROR: syntax error in tsvector: "::"
"vectors" = E'::' WHERE "id" = 1
This seems to be a problem caused by lack of escaping of the semicolons, and I can manually set the vector='::' fine.
I also had the bright idea, maybe I can just call something like:
ActiveRecord::Base.connection.execute "UPDATE medias SET vectors = ? WHERE id = 1", "::"
However, this syntax doesn't work, because the raw SQL commands don't have access to find's method of escaping and inputting strings by using the ? mark.
This strikes me as the same problem as calling connection.execute with any type of user input, as it all boils down to sanitizing the strings, but I can't seem to find any way to manually call Rails' SQL string sanitization methods. Can anyone provide any advice?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
将此方法添加到您的模型中:
现在您可以执行任何 SQL,例如:
参考
1) sanitize_sql_array
Add this method to your model:
Now you can execute any SQL such as:
Reference
1) sanitize_sql_array