我目前有这个:
products = Product.select("DISTINCT(products.id), products.*").joins("JOIN (SELECT * FROM `shop_categorizations` WHERE (shop_categorizations.shop_category_id IN (SELECT id FROM `shop_categories` WHERE (`shop_categories`.shop_id = #{id} AND (`shop_categories.id` IN (#{shop_categories})))))) AS `shop_categorizations` ON `shop_categorizations`.`product_id` = `products`.`id`");
我在想这个查询很容易被sql注入。如何使此查询安全无虞。我假设有约束力,但我不知道如何在这里应用它。
模型背景如果有帮助:
Product belongs to ShopCategory
ShopCategory belongs to Shop
答案 0 :(得分:3)
在您的情况下,我认为您不需要绑定。这两个参数都是Fixnum,您只需将输入转换为Fixnum即可防止SQL注入:
JOIN(SELECT * FROM
shop_categorizationsWHERE (shop_categorizations.shop_category_id IN(SELECT id FROMshop_categoriesWHERE(shop_categories。shop_id =#{ id.to_i } AND(shop_categories.idIN(#{ shop_categories.map(&:to_i)}))))))) ASshop_categorizationsONshop_categorizations。product_id=products。id
如果确实需要处理字符串数据类型,可以通过转义/引用来阻止SQL注入,请参阅: http://api.rubyonrails.org/classes/ActiveRecord/ConnectionAdapters/Quoting.html#method-i-quote