Rails SQL 注入漏洞
Rails SQL injection vulnerability
使用 Model.find(params[:id]) 会导致 sql 注入漏洞吗?
不,不能。引自指南 (http://guides.rubyonrails.org/security.html#sql-injection):
Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.
顺便说一句,您的意思可能是 Model.find(params[:id]) 或 Model.find_by(id: params[:id]),Model.find(id: params[:id]) 没有任何意义。
使用 Model.find(params[:id]) 会导致 sql 注入漏洞吗?
不,不能。引自指南 (http://guides.rubyonrails.org/security.html#sql-injection):
Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.
顺便说一句,您的意思可能是 Model.find(params[:id]) 或 Model.find_by(id: params[:id]),Model.find(id: params[:id]) 没有任何意义。