MySql Query ::如何解决数据中的问题，当查询被触发时

Question

我正面临着数据中存在这样的问题。搜索时不显示数据。我想删除SQL注入问题 代码::

@search_condition = "" 
      if !search_text.nil? 
      search_field = search_text.split("-") 
      @search_condition = "(address_books.organization_name like '#{search_text}%' or address_books.business_name like '#{search_text}%' or address_books.federal_tax_id like '#{search_text}%' or address_books.city like '#{search_text}%' or address_books.zip like '#{search_text}%') " if search_field.length == 1 

      if search_text.include? "-" 
       if search_field.length <= 1 
       @search_condition = " (address_books.organization_name like '%" + search_field[0] + "%' " 
       @search_condition += " or address_books.business_name like '%" + search_field[1] + "%' " 
       @search_condition += " or address_books.federal_tax_id like '%" + search_field[2] + "%' " 
       @search_condition += " or address_books.city like '%" + search_field[3] + "%' " 
       @search_condition += " or address_books.zip like '%" + search_field[4] + "%') " 

Answer 1

您需要通过更换所有的数据插入？并保存每个数据来取代这个？在Array

@search_condition = "" 
      if !search_text.nil? 
      search_field = search_text.split("-") 
      if search_field.length == 1 
       @search_condition = "(address_books.organization_name like ? or address_books.business_name like ? or address_books.federal_tax_id like ? or address_books.city like ? or address_books.zip like ?) " 
       @search_condition_datas = ["#{search_text}%", "#{search_text}%", "#{search_text}%", "#{search_text}%", , "#{search_text}%"] 
      if search_text.include? "-" 
       if search_field.length <= 1 
       @search_condition = " (address_books.organization_name like ? " 
       @search_condition += " or address_books.business_name like ?" 
       @search_condition += " or address_books.federal_tax_id like ?" 
       @search_condition += " or address_books.city like ?" 
       @search_condition += " or address_books.zip like ?" 
       @search_condition_datas = ["%#{search_text[0]}%", "%#{search_text[1]}%", "%#{search_text[2]}%", "%#{search_text[3]}%", , "%#{search_text[4]}%"] 

而后就可以用

User.find(:all, :conditions => [@search_condition] | @search_conditions_datas) 

此代码搜索后，可重构。这真的很难看。

Answer 2

下面是使用Arel/Rails的3/REE 2010-02

class AddressBook < ActiveRecord::Base 

    def self.search(search_text) 
    unless search_text.nil? 
     t = arel_table 
     results = scoped 

     search_fields = search_text.split("-") 
     search_fields.map! {|f| "%#{f}" } unless search_fields.length == 1 
     results = results.where(
     t[:organization_name].matches("#{search_fields[0] || search_text}%"). 
     or(t[:business_name].matches("#{search_fields[1] || search_text}%")). 
     or(t[:federal_tax_id].matches("#{search_fields[2] || search_text}%")). 
     or(t[:city].matches("#{search_fields[3] || search_text}%")). 
     or(t[:zip].matches("#{search_fields[4] || search_text}%")) 
    ) 
    end 
    results 
    end 

end 

这里可能的重构是SQL后产生：

ree-1.8.7-2010.02 > AddressBook.search("something") 
    AddressBook Load (0.1ms) SELECT "address_books".* FROM "address_books" WHERE ((((("address_books"."organization_name" LIKE 'something%' OR "address_books"."business_name" LIKE 'something%') OR "address_books"."federal_tax_id" LIKE 'something%') OR "address_books"."city" LIKE 'something%') OR "address_books"."zip" LIKE 'something%')) 
=> [] 


ree-1.8.7-2010.02 > AddressBook.search("1-2-3-4-5") 
    AddressBook Load (0.2ms) SELECT "address_books".* FROM "address_books" WHERE ((((("address_books"."organization_name" LIKE '%1%' OR "address_books"."business_name" LIKE '%2%') OR "address_books"."federal_tax_id" LIKE '%3%') OR "address_books"."city" LIKE '%4%') OR "address_books"."zip" LIKE '%5%')) 
=> [] 

显然，根据你的需要，你想怎么搜索，您可以更新这个。主要的一点是，通过Arel，你可以保持关系的连锁子句，直到它被实际查询的地步。我认为，这比建立条件字符串或数组要干净得多。