问题
I need to create a simple search but I can't afford to use Sphinx.
Here's what I wrote:
keywords = input.split(/\s+/)
queries = []
keywords.each do |keyword|
queries << sanitize_sql_for_conditions(
"(classifications.species LIKE '%#{keyword}%' OR
classifications.family LIKE '%#{keyword}%' OR
classifications.trivial_names LIKE '%#{keyword}%' OR
place LIKE '%#{keyword}%')")
end
options[:conditions] = queries.join(' AND ')
Now, sanitize_sql_for_conditions does NOT work! It returns simply returns the original string.
How can I rewrite this code to escape malicious code?
回答1:
If you replace the "#{keyword}" with a "?", you can do something like this. Using the question mark will automatically sanitize SQL.
keywords = input.split(/\s+/)
queries = []
vars = []
keywords.each do |keyword|
queries << "(classifications.species LIKE '%?%' OR
classifications.family LIKE '%?%' OR
classifications.trivial_names LIKE '%?%' OR
place LIKE '%?%')"
vars = vars << keyword << keyword << keyword << keyword
end
options[:conditions] = [queries.join(' AND '), vars].flatten
回答2:
I use a lot of custom conditions in ActiveRecord, but I like to package them in an array of condition arrays, then combine 'em, using the ? value lets AR santize them automatically:
conditions = Array.new
conditions << ["name = ?", "bob"]
conditions << ["(created_at > ? and created_at < ?)", 1.year.ago, 1.year.from_now]
User.find(:first, :conditions => combine_conditions(conditions))
def combine_conditions(somearray) # takes an array of condition set arrays and reform them into a AR-compatible condition array
conditions = Array.new
values = Array.new
somearray.each do |conditions_array|
conditions << conditions_array[0] # place the condition in an array
# extract values
for i in (1..conditions_array.size - 1)
values << conditions_array[i]
end
end
[conditions.join(" AND "), values].flatten
end
来源:https://stackoverflow.com/questions/1143647/sanitize-sql-in-custom-conditions