以前我用过
Model.create()
要插入一行,现在,我想在Mysql中使用DELAYED选项。
但是,如果我写
ActiveRecord::Base.connection.execute("INSERT DELAYED INTO `TABLE` (`row`) VALUES (#{params[:id]})")
所以我得到sql注入。怎么预防呢?
答案 0 :(得分:2)
使用connection.quote
id = ActiveRecord::Base.connection.quote(params[:id])
ActiveRecord::Base.connection.execute("INSERT DELAYED INTO `TABLE` (`row`) VALUES (#{id})")