rails中如何防止sql注入

rails防止sql注入

例子:

User.order("#{sort_by} #{sort_direction}")

如果 查询的是:

sort_by = "email; DELETE from users; *--"*

则把user全都删除了

解决方案

def index
 @users = User.order(sort_by + "" + direction)
end

private

	def sort_by
		%w(email name).include?(params[:sort_by] ? params[:sort_by] : 'name')
	end
	
	def direction
		%w(asc desc).include?(params[:direction]) ? params[:direction] : 'asc'
  end
posted @ 2020-12-18 11:02  viletyy  阅读(139)  评论(0编辑  收藏  举报