0

感谢您对此的帮助。我是 Rails 新手(使用 Rails 2,我知道这并不理想,但它对项目来说是必需的。)我有一个包含多个输入的表单。我想确保保护我的用户免受 SQL 注入。我想我已经妥善处理了它,但我只是想确定一下,尤其是在输入方面。

shoes.html.erb 具有保存到 shoes and socks 表的表格

    <% form_for @shoe, :html=>{:id=>'createanOrder'} do |f| %>

    <input id="shoe_name" name="shoename" size="30" type="text" value="New Shoe"></p>

    <p>Enter a decoration for the top:
    <input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>

    <p>Or, select a decoration from the list:
    <select id="topdecorationdropdown" name="topdecorationdropdown">
    <option value="">
    <% for allshoe in @allshoe %>
    <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
    <% end %>
    </select>
    </p>

    <select multiple id="socks" name="socksselected[]">
    <% for sock in @sock %>
    <option selected value="<%= sock.name %>">
    <%= sock.name %></option>
    <% end %>
    </select>  

    <input type="checkbox" name="shipit" id="shipt" checked="true">

    <p>Enter a decoration for the bottom:
    <input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>

    <p>Or, select a decoration from the list:
    <select id="bottomdecorationdropdown" name="bottomdecorationdropdown">
    <option value="">
    <% for allshoe in @allshoe %>
    <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
    <% end %>
    </select>
    </p>
    <input type="submit" id="savethisorder" value="Save Order or Update Order">     
    <% end %>

鞋子控制器

    class ShoesController < ApplicationController
    # GET /shoes
    # GET /shoes.xml
    def index
    @shoe = Shoe.all
    @sock = Sock.all
    respond_to do |format|
    format.html # index.html.erb
  format.xml  { render :xml => @shoes }
    end
    end

    # GET /shoes/1
    # GET /shoes/1.xml

    def show
    @shoe = Shoe.find(params[:id])
    @sock = Sock.find(params[:id])
    respond_to do |format|
    format.html # show.html.erb
    format.xml  { render :xml => @shoe }
    end
    end

    # GET /shoes/new
    # GET /shoes/new.xml
    def new
    @shoe = Shoe.new
    @sock = Sock.new
    respond_to do |format|
    format.html # new.html.erb
    format.xml  { render :xml => @shoe }
    end
    end

    # GET /shoes/1/edit
    def edit
    @shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
    respond_to do |format|
      format.html # edit.html.erb
      format.xml  { render :xml => @activity }
    end
    end

    # POST /shoes
    # POST /shoes.xml

    def create

    @shoe = Shoe.new(params[:shoe])
    @shoe.name = params[:shoename]

    if !params[:topdecorationdropdown].blank?
    @shoe.decoration = params[:topdecorationinput]
    else
    @shoe.decoration = params[:topdecorationdropdown]
    topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip) 
    @shoe.sparkletopdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle
    end                                     

    socks = params[:socksselected]
    socks.each do |sock_info|
    sock = Sock.new
    sock.sockdescription = sock_info
    sock.shoe = @shoe

    sockdecoration_array = sock_info.split(',').collect(&:strip)
    @sockisaset = Allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})
        if @sockisaset
        sock.sparkle = Allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle
        else
        sock.sparkle = nil
        end 
    sock.save
    end


    if !params[:shipit].blank?
    @shoe.shipit = 1
    else
    @shoe.shipit = 0
    end

    if !params[:bottomdecorationdropdown].blank?
    @shoe.decoration = params[:bottomdecorationinput]
    else
    @shoe.decoration = params[:bottomdecorationdropdown]
    bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip) 
    @shoe.sparklebottomdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle

    end         
end


respond_to do |format|
  if @shoe.save
    format.html { redirect_to "/store" }
    format.xml  { render :xml => @shoe, :status => :created}
  else
    format.html { render :action => "new" }
    format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }
  end
end
    end

    # PUT /shoes/1
    # PUT /shoes/1.xml

    def update
    @shoe = Shoe.find(params[:id])
    respond_to do |format|
    if @shoe.update_attributes(params[:shoe])
    flash[:notice] = 'Shoe was successfully updated.'
    format.html { redirect_to "/store" }
    format.xml  { head :ok }
    else
    format.html { render :action => "edit" }
    format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }
    end
    end
    end

    # DELETE /shoes/1
    # DELETE /shoes/1.xml

    def destroy
    @shoe = Shoe.find(params[:id])
    @shoe.destroy
    respond_to do |format|
    format.html { redirect_to "/store" }
    format.xml  { head :ok }
    end
    end
    end

鞋型

    class Shoe < ActiveRecord::Base
belongs_to :footwear
has_many :socks, :dependent => :destroy
    end
4

1 回答 1

1

上面给出的代码受到 SQL 注入的保护。在 ROR 中可以进行注入,但通常在构建查询时直接在 find by sql 命令中使用变量时发生。

对于 EX:

sq = "Select * from users where id = {params[:id]}"
res = User.find_by_sql(sql)

在上述情况下,可以通过在 params[:id] 中发送适当的语句来完成 sql 注入。上面相同的代码可以写成如下来防止注入。

sq = "Select * from users where id = ?"
res = User.find_by_sql([sql,params[:id]])

上面编写的代码可以避免 SQL 注入。

于 2013-08-20T18:13:59.270 回答