Rails,如何清理 find_by_sql 中的 SQL
有没有办法在rails方法find_by_sql中清理sql?
我尝试过这个解决方案: Ruby on Rails:不使用 find 时如何清理 SQL 字符串?
但它失败了,
Model.execute_sql("Update users set active = 0 where id = 2")
它抛出一个错误,但执行了 sql 代码,并且 ID 为 2 的用户现在拥有一个已禁用的帐户。
简单的 find_by_sql 也不起作用:
Model.find_by_sql("UPDATE user set active = 0 where id = 1")
# => code executed, user with id 1 have now ban
编辑:
那么我的客户要求在管理面板中创建该功能(通过 sql 选择)来进行一些复杂的查询(联接、特殊条件等) )。所以我真的很想find_by_sql。
第二次编辑:
我想实现“邪恶”的 SQL 代码不会被执行。
在管理面板中,您可以输入查询 -> Update users set admin = true where id = 232 并且我想阻止任何 UPDATE / DROP / ALTER SQL 命令。 只是想知道,这里你只能执行 SELECT。
经过一番尝试后,我得出结论 sanitize_sql_array 不幸的是不要这样做。
Rails 有没有办法做到这一点?
抱歉造成混乱..
Is there a way to sanitize sql in rails method find_by_sql?
I've tried this solution:
Ruby on Rails: How to sanitize a string for SQL when not using find?
But it fails at
Model.execute_sql("Update users set active = 0 where id = 2")
It throws an error, but sql code is executed and the user with ID 2 now has a disabled account.
Simple find_by_sql also does not work:
Model.find_by_sql("UPDATE user set active = 0 where id = 1")
# => code executed, user with id 1 have now ban
Edit:
Well my client requested to make that function (select by sql) in admin panel to make some complex query(joins, special conditions etc). So I really want to find_by_sql that.
Second Edit:
I want to achieve that 'evil' SQL code won't be executed.
In admin panel you can type query -> Update users set admin = true where id = 232 and I want to block any UPDATE / DROP / ALTER SQL command.
Just want to know, that here you can ONLY execute SELECT.
After some attempts I conclude sanitize_sql_array unfortunatelly don't do that.
Is there a way to do that in Rails??
Sorry for the confusion..
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
试试这个:
您可以将其保存在变量中并用于您的目的。
Try this:
You can save it in variable and use for your purposes.
我为此制作了一个小片段,您可以将其放入初始化程序中。
现在,您可以使用以下命令转义查询:
并且您可以按照自己喜欢的方式调用查询:
I made a little snippet for this that you can put in initializers.
Right now you can escape your query with this:
And you can call the query any way you like:
稍微通用一些:
这个可以让您像键入 where 子句一样调用它,无需额外的括号,并使用数组样式 ?或散列式插值。
Slightly more general-purpose:
This one lets you call it just like you'd type in a where clause, without extra brackets, and using either array-style ? or hash-style interpolations.
来源:http://blog. endpoint.com/2012/10/dont-sleep-on-rails-3-sql-injection.html
Source: http://blog.endpoint.com/2012/10/dont-sleep-on-rails-3-sql-injection.html
尽管此示例适用于 INSERT 查询,但可以对 UPDATE 查询使用类似的方法。原始 SQL 批量插入:
以下是对 ActiveRecord 中 sanitize_sql_array 方法的 引用: :Base,它通过转义字符串中的单引号来生成正确的查询字符串。例如,punch_line“不要让他们让你失望”将变成“不要让他们让你失望”。
Though this example is for INSERT query, one can use similar approach for UPDATE queries. Raw SQL bulk insert:
Here is the reference to sanitize_sql_array method in ActiveRecord::Base, it generates the proper query string by escaping the single quotes in the strings. For example the punch_line "Don't let them get you down" will become "Don\'t let them get you down".
我更喜欢用关键参数来做。在您的情况下,它可能看起来像这样:
请注意,您仅将一个参数传递给
:find_by_sql方法 - 它是一个数组,其中包含两个元素:字符串查询和带参数的哈希(因为它是我们最喜欢的) Ruby,您可以省略大括号)。I prefer to do it with key parameters. In your case it may looks like this:
Pay attention, that you pass ONLY ONE parameter to
:find_by_sqlmethod - its an array, which contains two elements: string query and hash with params (since its our favourite Ruby, you can omit the curly brackets).