假设我有一个用户列表页面,你可以按不同的列排序,当点击'email'时,它会传递sort_by=email sort_direction=asc或desc
sort_by = "email" # really params[:sort_by]
sort_direction = "asc" # really params[:sort_direction]
User.order("#{sort_by} #{sort_direction}")
# SELECT "users".* FROM "users" ORDER BY email asc
可以正常工作,但是如果我们改变sort_by
sort_by = "email; DELETE from users; --"
User.order("#{sort_by} #{sort_direction}")
# SELECT "users".* FROM "users" ORDER BY email; DELETE from users; -- asc
现在我们没有更多的用户了:(
我可以手动构建一个有效的sort_by白名单,并比较params[:sort_by],但希望有一些内置的方法来处理这种事情
Ryan Bates的方法:
:
def index
@users = User.order(sort_by + " " + direction)
end
private
def sort_by
%w{email name}.include?(params[:sort_by]) ? params[:sort_by] : 'name'
end
def direction
%w{asc desc}.include?(params[:direction]) ? params[:direction] : 'asc'
end
实际上你是在创建一个白名单,但是很容易做到,而且不容易被注入。