我正在尝试为Rails实现自动完成功能。我的代码中有类似的内容 -
Location.where("name like ?", "%#{params[:location]}%")
我担心这会导致SQL注入。类似于以下内容 -
SELECT * FROM Locations WHERE (name LIKE '%green%') OR 1=1--%'
当params[:location]类似green%') OR 1=1--
有什么办法,我可以在Rails中避免使用SQLi进行基于子串的搜索吗?
答案 0 :(得分:0)
> x = "'') OR SELECT * FROM Users"
=> "'') OR SELECT * FROM Users"
> Course.where(["name like ?", "%#{x}%"])
Course Load (38.7ms) SELECT "courses".* FROM "courses" WHERE
(name like '%'''') OR SELECT * FROM Users%')
=> []
答案 1 :(得分:0)
如果您正在使用Postgres,我建议您使用Postgres中的trigram支持来执行此操作。
在迁移中抛出此内容以设置内容:
CREATE EXTENSION pg_trgm;
然后像这样运行你的查询:
Location.select('*', "similarity(search_term, #{ActiveRecord::Base.sanitize(search_term)}) AS similarity").order('similarity DESC, search_term')
或者,只是做你正在做的事情,但将参数包装在#{ActiveRecord::Base.sanitize(search_term)}