在自定义条件中对SQL进行消毒

Question

我需要创建一个简单的搜索，但我无法使用Sphinx。

这是我写的：

keywords = input.split(/\s+/) 
queries = [] 

keywords.each do |keyword| 
    queries << sanitize_sql_for_conditions(
       "(classifications.species LIKE '%#{keyword}%' OR 
       classifications.family LIKE '%#{keyword}%' OR 
       classifications.trivial_names LIKE '%#{keyword}%' OR 
       place LIKE '%#{keyword}%')") 
end 

options[:conditions] = queries.join(' AND ') 

现在，sanitize_sql_for_conditions不行！它只返回原始字符串。

如何重写此代码以转义恶意代码？

Answer 1

如果用“？”替换“＃{keyword}”，则可以这样做。使用问号会自动清理SQL。

keywords = input.split(/\s+/) 
queries = [] 
vars = [] 

keywords.each do |keyword| 
    queries << "(classifications.species LIKE '%?%' OR 
       classifications.family LIKE '%?%' OR 
       classifications.trivial_names LIKE '%?%' OR 
       place LIKE '%?%')" 
    vars = vars << keyword << keyword << keyword << keyword 
end 

options[:conditions] = [queries.join(' AND '), vars].flatten 

Answer 2

我用了很多的ActiveRecord的定制条件，但我喜欢将它们打包到在条件数组的数组，然后结合他们，用？价值让AR自动化他们：

conditions = Array.new 
conditions << ["name = ?", "bob"] 
conditions << ["(created_at > ? and created_at < ?)", 1.year.ago, 1.year.from_now] 

User.find(:first, :conditions => combine_conditions(conditions)) 

def combine_conditions(somearray) # takes an array of condition set arrays and reform them into a AR-compatible condition array 
    conditions = Array.new 
    values = Array.new 
    somearray.each do |conditions_array| 
    conditions << conditions_array[0] # place the condition in an array 
    # extract values 
    for i in (1..conditions_array.size - 1) 
     values << conditions_array[i] 
    end 
    end 
    [conditions.join(" AND "), values].flatten 
end