rails中如何防止sql注入
rails防止sql注入
例子:
User.order("#{sort_by} #{sort_direction}")
如果 查询的是:
sort_by = "email; DELETE from users; *--"*
则把user全都删除了
解决方案:
def index
@users = User.order(sort_by + "" + direction)
end
private
def sort_by
%w(email name).include?(params[:sort_by] ? params[:sort_by] : 'name')
end
def direction
%w(asc desc).include?(params[:direction]) ? params[:direction] : 'asc'
end