我對一個Postgres數據庫以下的find_by_sql查詢:Rails - 如何防止postgres find_by_sql查詢的sql注入?
pick_ids = picks.pluck(:id).join(',')
Pick.find_by_sql("WITH cte1 AS (SELECT DISTINCT user_id, state, pick FROM picks
WHERE id IN (#{pick_ids})), cte2 AS (SELECT user_id, coalesce(sum(amount_won), 0)
as picks_total_won FROM picks WHERE id IN (#{pick_ids}) GROUP BY user_id), cte3 AS
(SELECT user_id, COUNT(CASE WHEN state = 'won' then 1 ELSE null END) AS picks_won,
FROM cte1 GROUP BY user_id) SELECT cte2.picks_total_won, cte3.picks_won,
FROM cte2 INNER JOIN cte3 ON cte2.user_id = cte3.user_id")
當我嘗試將其參數化(即,... pick_ids,pick_ids?),但是,我得到以下錯誤:
ArgumentError: wrong number of arguments (3 for 1..2)
(1)你能參數化一個find_by_sql查詢嗎?如果是這樣,怎麼樣? (2)如果查詢永遠不會收到用戶輸入的參數,你甚至需要擔心SQL注入嗎?
太神奇了!很好的答案...應該對他人有用 – keruilin