我有下面的代码,我正在使用基于用户的搜索过滤帖子的结果。我如何确保参数存在,有效和消毒?Rails消毒和验证用户输入where条款
Post.where("title LIKE ? AND cost >= ? AND cost <= ? AND status = 'open'", "%#{search_params[:keywords]}%",
"#{search_params[:min] && !search_params[:min].empty? ? search_params[:min] : 0}",
"#{search_params[:max] && !search_params[:max].empty? ? search_params[:max] : 999999999}");
的'#sanitize_sql_for_conditions'方法应该在这里派上用场 - [see docs](http://api.rubyonrails.org/classes/ActiveRecord/Sanitization/ClassMethods.html#method-i-sanitize_sql_for_conditions) – Zoran