在自定義條件中對SQL進行消毒

Question

我需要創建一個簡單的搜索，但我無法使用Sphinx。

這是我寫的：

keywords = input.split(/\s+/) 
queries = [] 

keywords.each do |keyword| 
    queries << sanitize_sql_for_conditions(
       "(classifications.species LIKE '%#{keyword}%' OR 
       classifications.family LIKE '%#{keyword}%' OR 
       classifications.trivial_names LIKE '%#{keyword}%' OR 
       place LIKE '%#{keyword}%')") 
end 

options[:conditions] = queries.join(' AND ') 

現在，sanitize_sql_for_conditions不行！它只返回原始字符串。

如何重寫此代碼以轉義惡意代碼？

Answer 1

如果用「？」替換「＃{keyword}」，則可以這樣做。使用問號會自動清理SQL。

keywords = input.split(/\s+/) 
queries = [] 
vars = [] 

keywords.each do |keyword| 
    queries << "(classifications.species LIKE '%?%' OR 
       classifications.family LIKE '%?%' OR 
       classifications.trivial_names LIKE '%?%' OR 
       place LIKE '%?%')" 
    vars = vars << keyword << keyword << keyword << keyword 
end 

options[:conditions] = [queries.join(' AND '), vars].flatten 

Answer 2

我用了很多的ActiveRecord的定製條件，但我喜歡將它們打包到在條件數組的數組，然後結合他們，用？價值讓AR自動化他們：

conditions = Array.new 
conditions << ["name = ?", "bob"] 
conditions << ["(created_at > ? and created_at < ?)", 1.year.ago, 1.year.from_now] 

User.find(:first, :conditions => combine_conditions(conditions)) 

def combine_conditions(somearray) # takes an array of condition set arrays and reform them into a AR-compatible condition array 
    conditions = Array.new 
    values = Array.new 
    somearray.each do |conditions_array| 
    conditions << conditions_array[0] # place the condition in an array 
    # extract values 
    for i in (1..conditions_array.size - 1) 
     values << conditions_array[i] 
    end 
    end 
    [conditions.join(" AND "), values].flatten 
end