In my controller, I have this method:
在我的控制器中,我有这个方法:
def show
@final =final_params
allparams=''
ActiveRecord::Base.connection.execute("USE database")
ActiveRecord::Base.connection.execute("declare @p3 dbo.Params")
@final.each do |key, value|
allparams= "insert into @p3 values(N'""#{key}"+"'"++",N'"+"#{value}"+"')\n"
ActiveRecord::Base.connection.execute(allparams)
end
end
But, I am facing the below error:
但是,我面临以下错误:
TinyTds::Error: Must declare the table variable "@p3".: insert into @p3 values(N'a',N'aa')
In my above code @p3 is a table name parameter.
在上面的代码中,@ p3是一个表名参数。
I am using SQL Server for database.
我正在使用SQL Server进行数据库。
2 个解决方案
#1
1
#{@p3}, but this code looks like vulnerable to SQL-injection.
#{@ p3},但这段代码看起来很容易受到SQL注入攻击。
#2
0
You need to interpolate the @p3 variable into the sql string assigned to allparams, like this:
您需要将@ p3变量插入分配给allparams的sql字符串中,如下所示:
@final.each do |key, value|
allparams = "insert into #{@p3} values(N'""#{key}"+"'"++",N'"+"#{value}"+"')\n"
ActiveRecord::Base.connection.execute(allparams)
end
#1
1
#{@p3}, but this code looks like vulnerable to SQL-injection.
#{@ p3},但这段代码看起来很容易受到SQL注入攻击。
#2
0
You need to interpolate the @p3 variable into the sql string assigned to allparams, like this:
您需要将@ p3变量插入分配给allparams的sql字符串中,如下所示:
@final.each do |key, value|
allparams = "insert into #{@p3} values(N'""#{key}"+"'"++",N'"+"#{value}"+"')\n"
ActiveRecord::Base.connection.execute(allparams)
end