Rails通过数组列和SQL注入进行搜索
我有个简短的问题。此代码易受SQL注入攻击:Rails通过数组列和SQL注入进行搜索,sql,ruby-on-rails,ruby,postgresql,Sql,Ruby On Rails,Ruby,Postgresql,我有个简短的问题。此代码易受SQL注入攻击: ActiveAdmin::SurveyPack.where("survey_schemas @> '{#{survey_schema}}'") survey_schemas列是my rails应用程序中的数组列。简短回答,是的 来自ActiveAdmin::SurveyPack.where(“survey_schema@>'{{survey_schema}}') 到ActiveAdmin::SurveyPack.where(“survey_s
ActiveAdmin::SurveyPack.where("survey_schemas @> '{#{survey_schema}}'")
ActiveAdmin::SurveyPack.where(“survey_schema@>'{{survey_schema}}')ActiveAdmin::SurveyPack.where(“survey_schema@>'{?}',survey_schema)ActiveAdmin::SurveyPack.where(“survey_schema@>'{{survey_schema}}')ActiveAdmin::SurveyPack.where(“survey_schema@>'{?}',survey_schema) ActiveAdmin::SurveyPack.where("survey_schemas @> ARRAY[?]", survey_schema)
ActiveAdmin::SurveyPack.where("survey_schemas @> ARRAY[?]", survey_schema)
愉快的编码。Hmm,这个ActiveAdmin::SurveyPack.where(“survey_schemas@>'{?}',survey_schemas”)返回语法错误。类似的东西可以正常工作:ActiveAdmin::SurveyPack.where(“survey_schemas@>>,'{{survey_schemas}')Hmm,这个ActiveAdmin::SurveyPack.where(“survey_schemas@>'{?}',survey_schema”)返回语法错误。类似的操作正常:ActiveAdmin::SurveyPack.where(“survey_schema@>?”,“{{survey_schema}}”)