MySql Query ::如何解決數據中的問題，當查詢被觸發時

Question

我正面臨着數據中存在這樣的問題。搜索時不顯示數據。我想刪除SQL注入問題 代碼::

@search_condition = "" 
      if !search_text.nil? 
      search_field = search_text.split("-") 
      @search_condition = "(address_books.organization_name like '#{search_text}%' or address_books.business_name like '#{search_text}%' or address_books.federal_tax_id like '#{search_text}%' or address_books.city like '#{search_text}%' or address_books.zip like '#{search_text}%') " if search_field.length == 1 

      if search_text.include? "-" 
       if search_field.length <= 1 
       @search_condition = " (address_books.organization_name like '%" + search_field[0] + "%' " 
       @search_condition += " or address_books.business_name like '%" + search_field[1] + "%' " 
       @search_condition += " or address_books.federal_tax_id like '%" + search_field[2] + "%' " 
       @search_condition += " or address_books.city like '%" + search_field[3] + "%' " 
       @search_condition += " or address_books.zip like '%" + search_field[4] + "%') " 

Answer 1

您需要通過更換所有的數據插入？並保存每個數據來取代這個？在Array

@search_condition = "" 
      if !search_text.nil? 
      search_field = search_text.split("-") 
      if search_field.length == 1 
       @search_condition = "(address_books.organization_name like ? or address_books.business_name like ? or address_books.federal_tax_id like ? or address_books.city like ? or address_books.zip like ?) " 
       @search_condition_datas = ["#{search_text}%", "#{search_text}%", "#{search_text}%", "#{search_text}%", , "#{search_text}%"] 
      if search_text.include? "-" 
       if search_field.length <= 1 
       @search_condition = " (address_books.organization_name like ? " 
       @search_condition += " or address_books.business_name like ?" 
       @search_condition += " or address_books.federal_tax_id like ?" 
       @search_condition += " or address_books.city like ?" 
       @search_condition += " or address_books.zip like ?" 
       @search_condition_datas = ["%#{search_text[0]}%", "%#{search_text[1]}%", "%#{search_text[2]}%", "%#{search_text[3]}%", , "%#{search_text[4]}%"] 

而後就可以用

User.find(:all, :conditions => [@search_condition] | @search_conditions_datas) 

此代碼搜索後，可重構。這真的很難看。

Answer 2

下面是使用Arel/Rails的3/REE 2010-02

class AddressBook < ActiveRecord::Base 

    def self.search(search_text) 
    unless search_text.nil? 
     t = arel_table 
     results = scoped 

     search_fields = search_text.split("-") 
     search_fields.map! {|f| "%#{f}" } unless search_fields.length == 1 
     results = results.where(
     t[:organization_name].matches("#{search_fields[0] || search_text}%"). 
     or(t[:business_name].matches("#{search_fields[1] || search_text}%")). 
     or(t[:federal_tax_id].matches("#{search_fields[2] || search_text}%")). 
     or(t[:city].matches("#{search_fields[3] || search_text}%")). 
     or(t[:zip].matches("#{search_fields[4] || search_text}%")) 
    ) 
    end 
    results 
    end 

end 

這裏可能的重構是SQL後產生：

ree-1.8.7-2010.02 > AddressBook.search("something") 
    AddressBook Load (0.1ms) SELECT "address_books".* FROM "address_books" WHERE ((((("address_books"."organization_name" LIKE 'something%' OR "address_books"."business_name" LIKE 'something%') OR "address_books"."federal_tax_id" LIKE 'something%') OR "address_books"."city" LIKE 'something%') OR "address_books"."zip" LIKE 'something%')) 
=> [] 


ree-1.8.7-2010.02 > AddressBook.search("1-2-3-4-5") 
    AddressBook Load (0.2ms) SELECT "address_books".* FROM "address_books" WHERE ((((("address_books"."organization_name" LIKE '%1%' OR "address_books"."business_name" LIKE '%2%') OR "address_books"."federal_tax_id" LIKE '%3%') OR "address_books"."city" LIKE '%4%') OR "address_books"."zip" LIKE '%5%')) 
=> [] 

顯然，根據你的需要，你想怎麼搜索，您可以更新這個。主要的一點是，通過Arel，你可以保持關係的連鎖子句，直到它被實際查詢的地步。我認爲，這比建立條件字符串或數組要乾淨得多。