ruby 更新:更改所有适用的方法以防止SQL注入

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ruby 更新:更改所有适用的方法以防止SQL注入相关的知识,希望对你有一定的参考价值。

require 'sqlite3'


$db = SQLite3::Database.open 'congress_poll_results.db'

def print_arizona_reps
  puts 'AZ REPRESENTATIVES'
  az_reps = $db.execute("SELECT name FROM congress_members WHERE location = 'AZ'")
  az_reps.each { |rep| puts rep }
end

# Print out the number of years served as well as the name of the longest running reps
# output should look like:  Rep. C. W. Bill Young - 41 years

#BOUND FOR GAURDING AGAINST SQL INJECTION
def print_longest_serving_reps(minimum_years)
  puts 'LONGEST SERVING REPRESENTATIVES (greater than 35 years)'
  longest_reps = $db.execute("SELECT name, years_in_congress FROM congress_members WHERE years_in_congress > ?",[minimum_years])
  longest_reps.each {|rep, years| puts "#{rep} - #{years} years"}
end

# Need to be able to pass the grade level as an argument, look in schema for "grade_current" column

#BOUND FOR GAURDING AGAINST SQL INJECTION
def print_lowest_grade_level_speakers(maximum_level)
  puts 'LOWEST GRADE LEVEL SPEAKERS (less than < 8th grade)'
  lowest_grade_level = $db.execute("SELECT name, ROUND(grade_current, 2) FROM congress_members WHERE grade_current < ?",[maximum_level])
  lowest_grade_level.each {|rep, level| puts "#{rep} - #{level} grade level"}
end

#  Make a method to print the following states representatives as well:
# (New Jersey, New York, Maine, Florida, and Alaska)
# Version 1 pulling all data for target fields into array and filtering target data from there
def print_state_reps(*states)
  puts 'REPRESENTATIVES BY STATE'
  state_reps = $db.execute('SELECT name, location FROM congress_members')
  states.each do |state|
    puts "#{state} REPRESENTATIVES"
    state_reps.each do |rep, st|
      if st == state
        puts rep
      end
    end
    puts ''
  end
end

# Version 2 with binding parameters to guard against SQL injection
def print_state_reps1(*states)
  puts 'REPRESENTATIVES BY STATE'
  states.each do |state|
    puts "#{state} REPRESENTATIVES"
    state_reps = $db.execute("SELECT name FROM congress_members WHERE location = ?",[state])
    state_reps.each {|st| puts st}
    puts ''
  end
end

#BONUSES
# Create a listing of all of the Politicians and the number of votes they received
# output should look like:  Sen. John McCain - 7,323 votes
def print_rep_votes
  puts 'VOTES BY POLITICIAN'
  number_votes = $db.execute("SELECT c.name, COUNT(*)AS number_votes FROM congress_members c,
votes v WHERE c.id = v.politician_id GROUP BY c.name")
  number_votes.each {|rep, votes| puts "#{rep} - #{votes} votes"}
end

# Create a listing of each Politician and the voter that voted for them
# output should include the senators name, then a long list of voters separated by a comma
def print_rep_voters
  puts 'VOTERS BY POLITICIAN'
  rep_concat_voter = $db.execute("SELECT c.name, (r.first_name || ' ' || r.last_name) FROM congress_members c,
votes v, voters r WHERE (c.id = v.politician_id) AND (r.id = v.voter_id) ORDER BY c.name")

  rep_voters = Hash[rep_concat_voter.chunk{|x| x[0]}.to_a]
  rep_voters.each_pair do |key, value|
    print "#{key}: "
    puts (value.each {|x| x.delete_at(0)}).join(', ')
  end
end

def print_separator
  puts
  puts "------------------------------------------------------------------------------"
  puts
end

print_arizona_reps
print_separator

#  Print out the number of years served as well as the name of the longest running reps
# output should look like:  Rep. C. W. Bill Young - 41 years
print_longest_serving_reps(35)
print_separator

# Need to be able to pass the grade level as an argument, look in schema for "grade_current" column
print_lowest_grade_level_speakers(8)
print_separator

#  Make a method to print the following states representatives as well:
# (New Jersey, New York, Maine, Florida, and Alaska)
# Two versions:
print_state_reps('NJ','NY', 'ME', 'FL', 'AK')
print_state_reps1('NJ','NY', 'ME', 'FL', 'AK')

print_separator

##### BONUS #######
#1. (bonus) - Stop SQL injection attacks!  Statmaster learned that interpolation of variables in SQL
#   statements leaves some security vulnerabilities.  Use the google to figure out how to protect from
#   this type of attack.
#   BIND PARAMETERS; EXAMPLES:
#     db.execute( "INSERT INTO Products ( stockID, Name ) VALUES ( ?, ? )", [id, name])
#     db.execute ("SELECT name FROM congress_members WHERE location = ?",[state])

# 2. Create a listing of all of the Politicians and the number of votes they received
#    output should look like:  Sen. John McCain - 7,323 votes
print_rep_votes
print_separator

# 3. Create a listing of each Politician and the voter that voted for them
#    output should include the senators name, then a long list of voters separated by a comma
print_rep_voters

以上是关于ruby 更新:更改所有适用的方法以防止SQL注入的主要内容,如果未能解决你的问题,请参考以下文章

清理请求以防止 SQL 注入攻击

如果应该准备所有 SQL 查询以防止 SQL 注入,为啥语法允许非准备查询?

这足以防止 SQL 注入吗?

防止sql注入的方法都有哪些

php中防止SQL注入的方法

防止 SQL 注入 - PDO,mysqli [重复]