據我所知,應該是可以做到在Rails中的以下內容:Rails的預處理語句與SELECT_ALL
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
,但可悲的是,這是行不通的。無論我嘗試使用哪種格式,$1和$2都不會被來自綁定數組的相應值替換。
還有什麼我應該照顧的?
我不明白,如果你要使用變量,但是是的,它是很容易與變量做的,你用他們錯誤地
使用方法如下:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=#{v1} AND created<=#{v2} GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
其中V1和v2是變量。 讓我知道,如果你想別人的財產以後
感謝
你應該在你的模型中使用sanitize_sql_array,像這樣:
r = self.sanitize_sql_array(["SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=? AND created<=? GROUP BY month ORDER BY month ASC", created1, created2])
self.connection.select_all r
這可以保護您的SQL注入。
既然你不使用命名綁定,你會這樣做。這在Rails 4.2中起作用。
ActiveRecord::Base.connection.select_all(
"SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",
nil,
[[nil,'2016-01-01 12:30'],[nil,'2016-01-01 15:30']]
)
感謝您的幫助。實際上,我想將$ 1和$ 2替換爲[['created',1],['created',2]],就像一個常用的準備好的sql語句。但無論我做什麼,它都不起作用。在一個正常的rails模型語句中,像... where(),它可以工作,但是使用base.connection,我無法弄清楚,如何做到這一點...... –
這是一本關於如何創建SQL注入漏洞的教科書示例在你的應用程序中 - 在插值之前引用你的變量,或使用綁定變量。 –