Rails:使用named_scope触发MySQL“in”

发布于 2024-09-07 06:22:21 字数 693 浏览 5 评论 0原文

问题:

我想运行一个查询,该查询会触发诸如

select * from users where code in (1,2,4);

使用named_scope之类的操作。


我尝试过的内容:

这是针对单个代码的:

named_scope :of_code, lambda {|code| {:conditions => ["code = ?", code]}}

我尝试了类似的操作

named_scope :of_codes, lambda {|codes| {:conditions => ["code in ?", codes]}}

并发送了

user.of_codes('(1,2,4)')

触发器 select * from users where code in '(1,2,4)' 由于额外的引号,这会引发 MySQL 错误。

PS: 理想情况下我想发送 user.of_codes([1,2,4])

PROBLEM:

I want to run a query which would trigger something like

select * from users where code in (1,2,4);

using a named_scope.


WHAT I TRIED:

This is for a single code:

named_scope :of_code, lambda {|code| {:conditions => ["code = ?", code]}}

I tried something like

named_scope :of_codes, lambda {|codes| {:conditions => ["code in ?", codes]}}

and sent

user.of_codes('(1,2,4)')

it triggers
select * from users where code in '(1,2,4)' which raises a MySQL error because of the extra quotes.

PS: Ideally I would like to send user.of_codes([1,2,4])

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

这将起作用,只是找到而不会让您遭受 SQL 注入攻击:

named_scope :of_codes, lambda { |codes|
  { :conditions => ['code in (?)', codes] }
}

User.of_codes([1, 2, 3])
# executes "select * from users where code in (1,2,3)"

如果您想要更狡猾一点,您可以这样做:

named_scope :of_codes, lambda { |*codes|
  { :conditions => ['code in (?)', [*codes]] }
}

然后您可以使用 Array 来调用它(如上所述) :User.of_codes([1, 2, 3]),或使用代码参数列表:User.of_codes(1, 2, 3)

This will work just find and not expose you to the SQL injection attack:

named_scope :of_codes, lambda { |codes|
  { :conditions => ['code in (?)', codes] }
}

User.of_codes([1, 2, 3])
# executes "select * from users where code in (1,2,3)"

If you want to be a little more slick, you can do this:

named_scope :of_codes, lambda { |*codes|
  { :conditions => ['code in (?)', [*codes]] }
}

Then you can call it either with an Array (as above): User.of_codes([1, 2, 3]), or with a list of code arguments: User.of_codes(1, 2, 3).

多彩岁月 2024-09-14 06:22:21

最简单的方法是使用散列作为条件而不是数组:

named_scope :of_codes, lambda { |*codes| { :conditions => { :code => codes } } }

这将按预期工作。

User.of_codes(1, 2, 3) # => SELECT ... code IN (1,2,3)
User.of_codes(1) # => SELECT ... code IN (1)

The simplest approach would be to use a hash for conditions instead of an array:

named_scope :of_codes, lambda { |*codes| { :conditions => { :code => codes } } }

This will work as expected.

User.of_codes(1, 2, 3) # => SELECT ... code IN (1,2,3)
User.of_codes(1) # => SELECT ... code IN (1)
如何视而不见 2024-09-14 06:22:21

您可以尝试以下

named_scope :of_codes, lambda {|codes| {:conditions => ["code in "+codes]}}

user.of_codes('(1,2,4)')

编辑 SQL INJECTION PROBLEM USE

named_scope :of_codes, lambda {|codes| {:conditions => ["code in (?) ", codes]}}

user.of_codes([1,2,4])

you can try follwing

named_scope :of_codes, lambda {|codes| {:conditions => ["code in "+codes]}}

and

user.of_codes('(1,2,4)')

EDITED For SQL INJECTION PROBLEM USE

named_scope :of_codes, lambda {|codes| {:conditions => ["code in (?) ", codes]}}

and

user.of_codes([1,2,4])
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文