如果无法使用ActiveRecord有效地表达查询,在插值传递的ActiveRecord::Base.connection.execute
属性时如何安全地使用params
?
connection.execute "... #{params[:search]} ..."
ActiveRecord::Base
子类。在模型类中,您可以执行以下操作:
class MyModel < ActiveRecord::Base
def bespoke_query(params)
query = sanitize_sql(['select * from somewhere where a = ?', params[:search]])
connection.execute(query)
end
end
您也可以send
在控制台上尝试的方法:
> MyModel.send(:sanitize_sql, ["Evening Officer ?", "'Dibble'"])
=> "Evening Officer '\\'Dibble\\''"
尽管我会非常小心地像这样直接插入参数。您遇到什么问题,无法使用ActiveRecord?