感谢您对此的帮助。我是 Rails 新手(使用 Rails 2,我知道它并不理想,但对于该项目来说是必要的。)我有一个包含多个输入的表单。我想确保我正在保护我的用户免受 SQL 注入(inject)。我认为我已经正确处理了它,但我只是想确定一下,尤其是在输入方面。
footwear.html.erb 具有保存到鞋子和 socks 表的表单
<% form_for @shoe, :html=>{:id=>'createanOrder'} do |f| %>
<input id="shoe_name" name="shoename" size="30" type="text" value="New Shoe"></p>
<p>Enter a decoration for the top:
<input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>
<p>Or, select a decoration from the list:
<select id="topdecorationdropdown" name="topdecorationdropdown">
<option value="">
<% for allshoe in @allshoe %>
<option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
<% end %>
</select>
</p>
<select multiple id="socks" name="socksselected[]">
<% for sock in @sock %>
<option selected value="<%= sock.name %>">
<%= sock.name %></option>
<% end %>
</select>
<input type="checkbox" name="shipit" id="shipt" checked="true">
<p>Enter a decoration for the bottom:
<input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>
<p>Or, select a decoration from the list:
<select id="bottomdecorationdropdown" name="bottomdecorationdropdown">
<option value="">
<% for allshoe in @allshoe %>
<option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
<% end %>
</select>
</p>
<input type="submit" id="savethisorder" value="Save Order or Update Order">
<% end %>
鞋子 Controller
class ShoesController < ApplicationController
# GET /shoes
# GET /shoes.xml
def index
@shoe = Shoe.all
@sock = Sock.all
respond_to do |format|
format.html # index.html.erb
format.xml { render :xml => @shoes }
end
end
# GET /shoes/1
# GET /shoes/1.xml
def show
@shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @shoe }
end
end
# GET /shoes/new
# GET /shoes/new.xml
def new
@shoe = Shoe.new
@sock = Sock.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @shoe }
end
end
# GET /shoes/1/edit
def edit
@shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
respond_to do |format|
format.html # edit.html.erb
format.xml { render :xml => @activity }
end
end
# POST /shoes
# POST /shoes.xml
def create
@shoe = Shoe.new(params[:shoe])
@shoe.name = params[:shoename]
if !params[:topdecorationdropdown].blank?
@shoe.decoration = params[:topdecorationinput]
else
@shoe.decoration = params[:topdecorationdropdown]
topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip)
@shoe.sparkletopdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle
end
socks = params[:socksselected]
socks.each do |sock_info|
sock = Sock.new
sock.sockdescription = sock_info
sock.shoe = @shoe
sockdecoration_array = sock_info.split(',').collect(&:strip)
@sockisaset = Allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})
if @sockisaset
sock.sparkle = Allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle
else
sock.sparkle = nil
end
sock.save
end
if !params[:shipit].blank?
@shoe.shipit = 1
else
@shoe.shipit = 0
end
if !params[:bottomdecorationdropdown].blank?
@shoe.decoration = params[:bottomdecorationinput]
else
@shoe.decoration = params[:bottomdecorationdropdown]
bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip)
@shoe.sparklebottomdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle
end
end
respond_to do |format|
if @shoe.save
format.html { redirect_to "/store" }
format.xml { render :xml => @shoe, :status => :created}
else
format.html { render :action => "new" }
format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity }
end
end
end
# PUT /shoes/1
# PUT /shoes/1.xml
def update
@shoe = Shoe.find(params[:id])
respond_to do |format|
if @shoe.update_attributes(params[:shoe])
flash[:notice] = 'Shoe was successfully updated.'
format.html { redirect_to "/store" }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity }
end
end
end
# DELETE /shoes/1
# DELETE /shoes/1.xml
def destroy
@shoe = Shoe.find(params[:id])
@shoe.destroy
respond_to do |format|
format.html { redirect_to "/store" }
format.xml { head :ok }
end
end
end
鞋款
class Shoe < ActiveRecord::Base
belongs_to :footwear
has_many :socks, :dependent => :destroy
end
最佳答案
上面给出的代码受到 SQL 注入(inject)的保护。 ROR 中可以进行注入(inject),但通常在构建查询时直接在 find by sql 命令中使用变量时发生。
对于 EX:
sq = "Select * from users where id = {params[:id]}"
res = User.find_by_sql(sql)
在上述情况下,可以通过在 params[:id] 中发送适当的语句来完成 SQL 注入(inject)。上面同样的代码可以写成下面这样来防止注入(inject)。
sq = "Select * from users where id = ?"
res = User.find_by_sql([sql,params[:id]])
上面编写的代码是安全的,不会受到 SQL 注入(inject)的影响。
关于mysql - 此 Ruby on Rails 代码是否容易受到 SQL 注入(inject)攻击?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/18326010/