没有 sql 注入的 ActiveRecord 复杂 where 子句
ActiveRecord complex where clause without sql injection
我正在为我的网站构建搜索,我正在尝试通过将搜索查询拆分为多个词来使用搜索查询,然后按子类别或 short_description:
进行搜索
whereQuery = ''
declared(params).search.downcase.split(' ').each_with_index do |searchTerm, index|
if index != 0
whereQuery += ' and ';
end
whereQuery += '(lower(short_description) like "%'+searchTerm+'%" or lower(subcategory) like "%'+searchTerm+'%")'
end
orders.where(whereQuery).order(number_of_purchases: :desc, rating: :desc)
是否有 better/safer 方法来避免此查询的 SQL 注入?
使用 ActiveRecord 链接:
orders = Order
declared(params).search.downcase.split(' ').each do |searchTerm|
orders = orders.where('(LOWER(short_description) LIKE ? OR LOWER(subcategory) LIKE ?', "%#{searchTerm}%", "%#{searchTerm}%")
end
orders = orders.order(number_of_purchases: :desc, rating: :desc)
我正在为我的网站构建搜索,我正在尝试通过将搜索查询拆分为多个词来使用搜索查询,然后按子类别或 short_description:
进行搜索whereQuery = ''
declared(params).search.downcase.split(' ').each_with_index do |searchTerm, index|
if index != 0
whereQuery += ' and ';
end
whereQuery += '(lower(short_description) like "%'+searchTerm+'%" or lower(subcategory) like "%'+searchTerm+'%")'
end
orders.where(whereQuery).order(number_of_purchases: :desc, rating: :desc)
是否有 better/safer 方法来避免此查询的 SQL 注入?
使用 ActiveRecord 链接:
orders = Order
declared(params).search.downcase.split(' ').each do |searchTerm|
orders = orders.where('(LOWER(short_description) LIKE ? OR LOWER(subcategory) LIKE ?', "%#{searchTerm}%", "%#{searchTerm}%")
end
orders = orders.order(number_of_purchases: :desc, rating: :desc)