我需要创建一个简单的搜索,但我负担不起使用 Sphinx。
这是我写的:
keywords = input.split(/\s+/)
queries = []
keywords.each do |keyword|
queries << sanitize_sql_for_conditions(
"(classifications.species LIKE '%#{keyword}%' OR
classifications.family LIKE '%#{keyword}%' OR
classifications.trivial_names LIKE '%#{keyword}%' OR
place LIKE '%#{keyword}%')")
end
options[:conditions] = queries.join(' AND ')
现在,sanitize_sql_for_conditions 不起作用!它返回只是返回原始字符串。
如何重写此代码以逃避恶意代码?