有没有一种方法来净化SQL中轨方法的find_by_sql ？

Is there a way to sanitize sql in rails method find_by_sql?

我试过这个解决方案： Ruby on Rails的：？如何消毒的字符串SQL时不使用发现

I've tried this solution: Ruby on Rails: How to sanitize a string for SQL when not using find?

但它未能在

Model.execute_sql("Update users set active = 0 where id = 2")

它抛出一个错误，但SQL code被执行，ID为2，用户现在有一个禁用的帐户。

It throws an error, but sql code is executed and the user with ID 2 now has a disabled account.

简单的find_by_sql 也不起作用：

Model.find_by_sql("UPDATE user set active = 0 where id = 1")
# => code executed, user with id 1 have now ban

编辑：

那么我的客户要求，以使该功能（通过SQL SELECT）的管理面板，使一些复杂的查询（连接，特殊情况等）。所以，我真的想的find_by_sql了。

Well my client requested to make that function (select by sql) in admin panel to make some complex query(joins, special conditions etc). So I really want to find_by_sql that.

第二个编辑：

我想实现这个邪恶SQL code将不被执行。

I want to achieve that 'evil' SQL code won't be executed.

在管理面板，你可以输入查询 - > 更新用户设置管理= TRUE其中id = 232 ，我想阻止任何更新/删除/ ALTER SQL命令。 只是想知道，在这里你只能执行SELECT。

In admin panel you can type query -> Update users set admin = true where id = 232 and I want to block any UPDATE / DROP / ALTER SQL command. Just want to know, that here you can ONLY execute SELECT.

一些尝试，我的结论后 sanitize_sql_array 可惜的是没有做到这一点。

After some attempts I conclude sanitize_sql_array unfortunatelly don't do that.

有没有办法做到这一点在Rails的？

Is there a way to do that in Rails??

抱歉的混乱。

推荐答案

试试这个：

connect = ActiveRecord::Base.connection();
connect.execute(ActiveRecord::Base.send(:sanitize_sql_array, "your string"))

您可以将它保存在变量，并使用你的目的。

You can save it in variable and use for your purposes.