据我所知,在 Rails 中应该可以做到以下几点:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
但遗憾的是,这根本不起作用。无论我尝试使用什么格式,$1 和 $2 永远不会被绑定数组中的相应值替换。
还有什么需要注意的吗?
【问题讨论】:
标签: sql ruby-on-rails prepared-statement
您应该在模型中使用sanitize_sql_array,如下所示:
r = self.sanitize_sql_array(["SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=? AND created<=? GROUP BY month ORDER BY month ASC", created1, created2])
self.connection.select_all r
这可以保护您免受 SQL 注入。
【讨论】:
sanitize_sql_array(['... where id = :id and type in (:types)', { id: _, types: _ }])
由于您没有使用命名绑定,因此您可以这样做。这适用于 Rails 4.2。
ActiveRecord::Base.connection.select_all(
"SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=$1 AND created<=$2 GROUP BY month ORDER BY month ASC",
nil,
[[nil,'2016-01-01 12:30'],[nil,'2016-01-01 15:30']]
)
【讨论】:
TypeError - TypeError: with nils 和NoMethodError - undefined method cast_type' for ...`。导轨 4.2.10。
我不明白你是否尝试使用变量,但是使用变量很容易,你错误地使用了它们
像这样使用它:
ActiveRecord::Base.connection.select_all("SELECT MONTH(created) AS month, YEAR(created) AS year FROM orders WHERE created>=#{v1} AND created<=#{v2} GROUP BY month ORDER BY month ASC",nil,[['created',1],['created',2]])
其中 v1 和 v2 是变量。 如果您正在尝试其他方法,请告诉我
谢谢
【讨论】: