有没有一种方法来净化SQL中轨方法的find_by_sql
?
Is there a way to sanitize sql in rails method find_by_sql
?
我试过这个解决方案: Ruby on Rails的:?如何消毒的字符串SQL时不使用发现
I've tried this solution: Ruby on Rails: How to sanitize a string for SQL when not using find?
但它未能在
Model.execute_sql("Update users set active = 0 where id = 2")
它抛出一个错误,但SQL code被执行,ID为2,用户现在有一个禁用的帐户。
It throws an error, but sql code is executed and the user with ID 2 now has a disabled account.
简单的find_by_sql
也不起作用:
Model.find_by_sql("UPDATE user set active = 0 where id = 1")
# => code executed, user with id 1 have now ban
编辑:
那么我的客户要求,以使该功能(通过SQL SELECT)的管理面板,使一些复杂的查询(连接,特殊情况等)。所以,我真的想的find_by_sql了。
Well my client requested to make that function (select by sql) in admin panel to make some complex query(joins, special conditions etc). So I really want to find_by_sql that.
第二个编辑:
我想实现这个邪恶SQL code将不被执行。
I want to achieve that 'evil' SQL code won't be executed.
在管理面板,你可以输入查询 - > 更新用户设置管理= TRUE其中id = 232
,我想阻止任何更新/删除/ ALTER SQL命令。
只是想知道,在这里你只能执行SELECT。
In admin panel you can type query -> Update users set admin = true where id = 232
and I want to block any UPDATE / DROP / ALTER SQL command.
Just want to know, that here you can ONLY execute SELECT.
一些尝试,我的结论后 sanitize_sql_array
可惜的是没有做到这一点。
After some attempts I conclude sanitize_sql_array
unfortunatelly don't do that.
有没有办法做到这一点在Rails的?
Is there a way to do that in Rails??
抱歉的混乱。
试试这个:
connect = ActiveRecord::Base.connection();
connect.execute(ActiveRecord::Base.send(:sanitize_sql_array, "your string"))
您可以将它保存在变量,并使用你的目的。
You can save it in variable and use for your purposes.