Fatal编程技术网
  • mysql/
  • Mysql 如何从SQL注入中保护Rails find_by_SQL语句?

Mysql 如何从SQL注入中保护Rails find_by_SQL语句?

mysql ruby-on-rails

Mysql 如何从SQL注入中保护Rails find_by_SQL语句?,mysql,ruby-on-rails,sql-injection,ruby-on-rails-2,Mysql,Ruby On Rails,Sql Injection,Ruby On Rails 2,谢谢你的帮助!我正在开发一个遗留的Rails应用程序,我检查了一些源代码,但无法使它们适合我的情况。在Rails2.3中,我有一个搜索表单index.html.erb和一个控制器search.rb。控制器使用搜索字段生成字符串,该字符串保存在变量@search\u string中 @search_string = "" 要显示搜索结果,控制器使用: @location_matches = Location.paginate_by_sql("select * from locat

谢谢你的帮助!我正在开发一个遗留的Rails应用程序,我检查了一些源代码,但无法使它们适合我的情况。在Rails2.3中,我有一个搜索表单index.html.erb和一个控制器search.rb。控制器使用搜索字段生成字符串,该字符串保存在变量@search\u string中

    @search_string = ""
要显示搜索结果,控制器使用:

    @location_matches = Location.paginate_by_sql("select * from locations where #{@search_string} order by nickname asc",  :page => params[:page], :per_page => 20)
对我来说,最简单的净化方法是什么?我试过了

    @location_matches = Location.paginate_by_sql('SELECT * FROM locations WHERE #{@search_string} = ?', @search_string)
这将抛出错误ArgumentError参数哈希。仅供参考,@search_字符串由以下表单字段构成:

search_string = "SELECT * from locations WHERE #{search_string}"
# turns it into the array-with question-mark syntax
search_query = [search_string] + search_vals

# if paginate_by_sql takes array, you can use it straight up here:
@location_matches = Location.paginate_by_sql(search_query,  :page => params[:page], :per_page => 20)

# otherwise use your "escape_sql" variant first
@location_matches = Location.paginate_by_sql(Location.escape_sql(search_query),  :page => params[:page], :per_page => 20)
形式

控制器

    query = Location.escape_sql(["SELECT * from locations WHERE #{@search_string} = ?", params[:@search_string]]) 
    @location_matches = Location.paginate_by_sql(query, :page => params[:page], :per_page => 20)
日志看起来与返回结果的代码相同

    Parameters: {"city"=>"New York", "commit"=>"Search", "search"=>{"size_category"=>"", "state"=>""}}
简单的回答是:你真的不能很快做到这一点

我建议将搜索字符串生成器更新为,而不是只创建一个字符串,以构建查找程序的数组样式集,例如:[field=?,param]

例如:

是的,这实际上是我检查过的一个来源,但我无法将其中的内容应用于这个问题,我在where语句中有一个变量,我正在尝试清理这个变量。我不熟悉这些说法,所以我非常感谢您提供的任何帮助!我可以这样做吗?query=Location.escape\u sql[从{@search\u string}=?,@search\u string,然后@Location\u匹配=Location.paginate\u按\u sqlquery顺序按昵称asc,:page=>params[:page],:per\u page=>20 
    query = Location.escape_sql(["SELECT * from locations WHERE #{@search_string} = ?", params[:@search_string]]) 
    @location_matches = Location.paginate_by_sql(query, :page => params[:page], :per_page => 20)

    Parameters: {"city"=>"New York", "commit"=>"Search", "search"=>{"size_category"=>"", "state"=>""}}

search_string = ""
search_vals = []
if params[:city].present?
   search_string << "and city like ? "
   search_vals << "%#{params[:city]}%"
end
if params[:whatever].present?
   search_string << "and whatever like ? "
   search_vals << "%#{params[:whatever]}%"
end

search_string = "SELECT * from locations WHERE #{search_string}"
# turns it into the array-with question-mark syntax
search_query = [search_string] + search_vals

# if paginate_by_sql takes array, you can use it straight up here:
@location_matches = Location.paginate_by_sql(search_query,  :page => params[:page], :per_page => 20)

# otherwise use your "escape_sql" variant first
@location_matches = Location.paginate_by_sql(Location.escape_sql(search_query),  :page => params[:page], :per_page => 20)