1. 首頁
  2. 問答
  3. 如何避免sql注入?

如何避免sql注入?

2012-12-17 82 views
2

我做一個查詢:如何避免sql注入?

@results = RubyGem.where(
    'name LIKE ?', "%#{searchphrase}%" 
    ).paginate(
     :page => params[:page], 
     :per_page => 50, 
     :group => "name", 
     :order => [ 
      "CASE WHEN name like '#{searchphrase}%' THEN 0 
      WHEN name like '% %#{searchphrase}% %' THEN 1 
      WHEN name like '%#{searchphrase}' THEN 2 
      ELSE 3 END, name" 
     ] 
    )

但我敢肯定,這是容易注射......有人能解決這個問題,所以它不是,同時保持功能一樣嗎?我正在使用Ruby on Rails和MySQL。

來源

2012-12-17 areke

+0

一個類似的問題:http://stackoverflow.com/questions/12127496/is-this-prone-to-sql-injection –

回答

2 
@results = RubyGem.where(
    'name LIKE ?', "%#{searchphrase}%" 
).paginate(
    :page => params[:page], 
    :per_page => 50, 
    :group => "name", 
    :order => [ 
     "CASE WHEN name like ? THEN 0 WHEN name like THEN 1 WHEN name like '%#{searchphrase}' THEN 2 ELSE 3 END, name", "#{searchphrase}%", "% %#{searchphrase}% %" 
    ] 
)

來源

2012-12-17 05:08:20 Salil

+0

這不工作... – areke

+0

我理解了它,但由於你是唯一回答的人......謝謝! – areke

相關問題

 相關問題