m52mxtq3o
/
educoder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

题库列表SQL注入问题

Browse Source
courseware
daiao 5 years ago
parent 71fce8c3b4
commit 9cec786115
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File

14
app/controllers/question_banks_controller.rb
Unescape View File

@ -18,19 +18,17 @@ class QuestionBanksController < ApplicationController
# 已认证才能获取题库 # 已认证才能获取题库
if @certification_teacher if @certification_teacher
sql = %Q{ sql = %Q{
#{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like #{@objects.table_name}.is_public = 1 and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
'%#{params[:search]}%' }
} @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
@objects.joins(:course_list).where(sql)
else else
@objects.none @objects.none
end end
else else
sql = %Q{ sql = %Q{
#{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like #{@objects.table_name}.user_id = #{current_user.id} and concat(#{@objects.table_name}.name, course_lists.name) like :keyword
'%#{params[:search]}%' }
} @objects.joins(:course_list).where(sql, keyword: "%#{params[:search]}%")
@objects.joins(:course_list).where(sql)
end end
else else
if params[:filter] == 'public' if params[:filter] == 'public'

Write Preview
Loading…
Cancel
Save