跳至内容 跳至搜索

Active Record 连接适配器 Quoting

方法
Q
T
U

实例公共方法

quote(value)

引用列值,以帮助防止 SQL 注入攻击

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 72
def quote(value)
  case value
  when String, Symbol, ActiveSupport::Multibyte::Chars
    "'#{quote_string(value.to_s)}'"
  when true       then quoted_true
  when false      then quoted_false
  when nil        then "NULL"
  # BigDecimals need to be put in a non-normalized form and quoted.
  when BigDecimal then value.to_s("F")
  when Numeric then value.to_s
  when Type::Binary::Data then quoted_binary(value)
  when Type::Time::Value then "'#{quoted_time(value)}'"
  when Date, Time then "'#{quoted_date(value)}'"
  when Class      then "'#{value}'"
  else
    raise TypeError, "can't quote #{value.class.name}"
  end
end

quote_column_name(column_name)

引用列名。

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 124
def quote_column_name(column_name)
  self.class.quote_column_name(column_name)
end

quote_string(s)

引用字符串,转义任何 ‘ (单引号) 和 \ (反斜杠) 字符。

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 119
def quote_string(s)
  s.gsub("\\", '\&\&').gsub("'", "''") # ' (for ruby-mode)
end

quote_table_name(table_name)

引用表名。

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 129
def quote_table_name(table_name)
  self.class.quote_table_name(table_name)
end

quote_table_name_for_assignment(table, attr)

重写以返回用于赋值的引用表名。默认为表引用。

这对 MySQL 有效,因为可以使用 table.column 来解决歧义。

我们在 sqlite3 和 postgresql 适配器中重写了此方法,以仅使用列名(符合语法要求)。

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 141
def quote_table_name_for_assignment(table, attr)
  quote_table_name("#{table}.#{attr}")
end

quoted_date(value)

引用日期/时间值以用于 SQL 输入。如果值为响应 usec 的 Time,则包含微秒。

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 174
def quoted_date(value)
  if value.acts_like?(:time)
    if default_timezone == :utc
      value = value.getutc if !value.utc?
    else
      value = value.getlocal
    end
  end

  result = value.to_fs(:db)
  if value.respond_to?(:usec) && value.usec > 0
    result << "." << sprintf("%06d", value.usec)
  else
    result
  end
end

quoted_false()

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 164
def quoted_false
  "FALSE"
end

quoted_true()

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 156
def quoted_true
  "TRUE"
end

type_cast(value)

value 转换为数据库可理解的类型。例如,SQLite 不支持日期,因此此方法会将 Date 转换为 String

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 94
def type_cast(value)
  case value
  when Symbol, Type::Binary::Data, ActiveSupport::Multibyte::Chars
    value.to_s
  when true       then unquoted_true
  when false      then unquoted_false
  # BigDecimals need to be put in a non-normalized form and quoted.
  when BigDecimal then value.to_s("F")
  when nil, Numeric, String then value
  when Type::Time::Value then quoted_time(value)
  when Date, Time then quoted_date(value)
  else
    raise TypeError, "can't cast #{value.class.name}"
  end
end

unquoted_false()

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 168
def unquoted_false
  false
end

unquoted_true()

源: 显示 | 在 GitHub 上

# File activerecord/lib/active_record/connection_adapters/abstract/quoting.rb, line 160
def unquoted_true
  true
end