题库列表SQL注入问题

courseware
daiao 5 years ago
parent 71fce8c3b4
commit 9cec786115

@ -18,19 +18,17 @@ class QuestionBanksController < ApplicationController
# 已认证才能获取题库
if @certification_teacher
sql = %Q{
#{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like
'%#{params[:search]}%'
}
@objects.joins(:course_list).where(sql)
#{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
}
@objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
else
@objects.none
end
else
sql = %Q{
#{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like
'%#{params[:search]}%'
}
@objects.joins(:course_list).where(sql)
#{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
}
@objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
end
else
if params[:filter] == 'public'

Loading…
Cancel
Save