我是这个 RoR 世界的新手,
我的 RoR 应用程序中有许多 SELECT sql 查询,像这样
@replies = Offerreply.find_by_sql ("SELECT * FROM offerreplies WHERE
offer_id="+params [:offer_id])
有些像上面一样非常简单,有些是非常复杂的 JOINS。他们中的大多数人都患有SQL 注入 问题。那么,如何清理 RoR 中的此类 SQL 语句?
编辑:如何在具有 JOINS 和子查询的 SQL 语句中处理相同的问题?像这样的东西
@to_be_approved=Beneficiary.find_by_sql("SELECT * FROM beneficiaries WHERE project_id="+params[:id]+" AND NOT id IN (SELECT beneficiaries.id FROM beneficiaries INNER JOIN beneficiaryloans ON beneficiaryloans.beneficiary_id=beneficiaries.id AND beneficiaryloans.hfi_id="+session[:id].to_s+" AND beneficiaries.status_id=4) AND cso_id IN(SELECT user_id FROM user_projects INNER JOIN users ON user_projects.user_id=users.id AND users.user_type_id=2)")