sql注入的问题

5 years ago · 4629c5d784
parent b852a9a297
commit 4629c5d784
1 changed files with 1 additions and 1 deletions
--- a/app/queries/weapps/subject_query.rb
+++ b/app/queries/weapps/subject_query.rb
@ -21,7 +21,7 @@ class Weapps::SubjectQuery < ApplicationQuery

    # 搜索
    if params[:keyword].present?
-      subjects = subjects.where("subjects.name like '%#{params[:keyword]}%'")
+      subjects = subjects.where("subjects.name like :keyword", keyword: "%#{params[:keyword]}%")
    end

    subjects = subjects.left_joins(:shixuns, :repertoire).select('subjects.id, subjects.name, subjects.excellent, subjects.stages_count, subjects.status, subjects.homepage_show,