Insert delayed and prevention of sql injection
Previously I used
Model.create()
to insert a row, now, I want to use DELAYED option in Mysql.
But, if I write
ActiveRecord::Base.connection.execute("INSERT DELAYED INTO `TABLE` (`row`) VALUES (#{params[:id]})")
so I get sql injectio开发者_JAVA百科n. How to prevent it?
Use connection.quote
id = ActiveRecord::Base.connection.quote(params[:id])
ActiveRecord::Base.connection.execute("INSERT DELAYED INTO `TABLE` (`row`) VALUES (#{id})")
精彩评论