using a placeholder with joins

前端未结

关注

 2  871

I\'m attempting to avoid any SQL injection vulnerabilities by substituting with my params on a join.

Category.joins(\"LEFT OUTER JOIN incomes ON incomes.cate


                      
              相关标签:


      
      
        
          2条回答        

        
                         				            
            
           
            
                              
                
              
              
                
                  粉色の甜心        
                
              
                            
                2021-01-06 19:57
              
            
            
                                                                       
Try

Category.joins(:incomes).where(:incomes => { :dept_id => params[:Dept] })


And check out the Rails documentation for joining tables.
                                                                        
                                                        
            
            
              
                
                0
              
                 
                
               讨论(0)
              
              
                                                   
              
                                                            
            
                      
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
          	          
            
           
            
                              
                
              
              
                
                  天命终不由人        
                
              
                            
                2021-01-06 20:00
              
            
            
                                                                       
One option is to use the sanitize_sql_array method. It is, however, a protected method so on your Category model you could do:

class Category < ActiveRecord::Base
  def self.income_for_dept(dept)
    Category.joins(sanitize_sql_array(["LEFT OUTER JOIN incomes ON incomes.category_id = categories.id AND incomes.dept_id = ?", dept]))
  end
end


Then you would call it like:

Category.income_for_dept(params[:Dept])


Ruby provides some other methods, if need be, to get at that method without making a class method in Category.
                                                                        
                                                        
            
            
              
                
                0
              
                 
                
               讨论(0)
              
              
                                                   
              
                                                            
            
                      
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
          	          
                             
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复