这是我的sql,我正在获取sql注入问题。我需要以rails方式创建这个sql
这是rails way select query:
select_string = "travel_items.*, 6371.0 * 2 * ASIN(SQRT(POWER(SIN((#{lat} - travel_items.lat) * PI() / 180 / 2), 2) + COS(#{lat} * PI() / 180) * COS(travel_items.lat * PI() / 180) * POWER(SIN((#{lng} - travel_items.lng) * PI() / 180 / 2), 2))) AS distance, MOD(CAST((ATAN2( ((travel_items.lng - #{lng}) / 57.2957795), ((travel_items.lat - #{lat}) / 57.2957795)) * 57.2957795) + 360 AS decimal), 360) AS bearing"
where_string = ["travel_items.lat BETWEEN ? AND ? AND travel_items.lng BETWEEN ? AND ? AND (6371.0 * 2 * ASIN(SQRT(POWER(SIN(( ? - travel_items.lat) * PI() / 180 / 2), 2) + COS( ? * PI() / 180) * COS(travel_items.lat * PI() / 180) * POWER(SIN((? - travel_items.lng) * PI() / 180 / 2), 2)))) BETWEEN 0.0 AND ?",min_lat,max_lat, min_lng, max_lng, mid_lat, mid_lat, mid_lng, distance_km]
TravelItem.select(select_string).where("travel_items.type = ?", travel_item_type).where(where_string).order('distance').limit(limit).to_a
对于where_string我没有得到sql注入问题。我只在select_string上得到它。我们可以有解决方案来删除sql注入吗?
答案 0 :(得分:0)
参考this。 试试以下
where_string = "travel_items.lat BETWEEN ? AND ?"
where_string += " AND travel_items.lng BETWEEN ? AND ?"
where_string += " AND (6371.0 * 2 * ASIN(SQRT(POWER(SIN(( ? - travel_items.lat) * PI() / 180 / 2), 2) + COS( ? * PI() / 180) * COS(travel_items.lat * PI() / 180) * POWER(SIN((? - travel_items.lng) * PI() / 180 / 2), 2)))) BETWEEN 0.0 AND ?"
where_array = [min_lat,max_lat, min_lng, max_lng, mid_lat,
mid_lat, mid_lng, distance_km]
where_array.insert(0, where_string)
TravelItem.select(select_string).where("travel_items.type = ?", travel_item_type).where(where_array).order('distance').limit(limit).to_a