2
我做一個查詢:如何避免sql注入?
@results = RubyGem.where(
'name LIKE ?', "%#{searchphrase}%"
).paginate(
:page => params[:page],
:per_page => 50,
:group => "name",
:order => [
"CASE WHEN name like '#{searchphrase}%' THEN 0
WHEN name like '% %#{searchphrase}% %' THEN 1
WHEN name like '%#{searchphrase}' THEN 2
ELSE 3 END, name"
]
)
但我敢肯定,這是容易注射......有人能解決這個問題,所以它不是,同時保持功能一樣嗎?我正在使用Ruby on Rails和MySQL。
一個類似的問題:http://stackoverflow.com/questions/12127496/is-this-prone-to-sql-injection –