【发布时间】:2015-03-14 22:18:16
【问题描述】:
这是我遇到 sql 注入问题的 sql。我需要用 Rails 方式制作这个 sql
这里是rails方式选择查询:
select_string = "travel_items.*, 6371.0 * 2 * ASIN(SQRT(POWER(SIN((#{lat} - travel_items.lat) * PI() / 180 / 2), 2) + COS(#{lat} * PI() / 180) * COS(travel_items.lat * PI() / 180) * POWER(SIN((#{lng} - travel_items.lng) * PI() / 180 / 2), 2))) AS distance, MOD(CAST((ATAN2( ((travel_items.lng - #{lng}) / 57.2957795), ((travel_items.lat - #{lat}) / 57.2957795)) * 57.2957795) + 360 AS decimal), 360) AS bearing"
where_string = ["travel_items.lat BETWEEN ? AND ? AND travel_items.lng BETWEEN ? AND ? AND (6371.0 * 2 * ASIN(SQRT(POWER(SIN(( ? - travel_items.lat) * PI() / 180 / 2), 2) + COS( ? * PI() / 180) * COS(travel_items.lat * PI() / 180) * POWER(SIN((? - travel_items.lng) * PI() / 180 / 2), 2)))) BETWEEN 0.0 AND ?",min_lat,max_lat, min_lng, max_lng, mid_lat, mid_lat, mid_lng, distance_km]
TravelItem.select(select_string).where("travel_items.type = ?", travel_item_type).where(where_string).order('distance').limit(limit).to_a
对于where_string,我没有遇到 sql 注入问题。我只在 select_string 上得到它。我们可以有解决方案来消除这方面的 sql 注入吗?
【问题讨论】:
标签: ruby-on-rails-4 rails-activerecord sql-injection