jacknudt
/
socialforge
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

资源库搜索 sql注入

This commit is contained in:
lizanle 2015-12-14 10:52:19 +08:00
parent f6867068f5
commit c004b05991
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
app/controllers/users_controller.rb
View File

@ -1857,46 +1857,46 @@ class UsersController < ApplicationController
# 根据资源关键字进行搜索
def resource_search
search = params[:search].to_s.strip.downcase
search = "%#{params[:search].strip.downcase}%"
if(params[:type].nil? || params[:type].blank? || params[:type] == "1" || params[:type] == 'all') #全部
if User.current.id.to_i == params[:id].to_i
user_course_ids = User.current.courses.map { |c| c.id} #我的资源库的话,那么应该是我上传的所有资源 加上 我加入的课程的所有资源 取交集并查询
@attachments = Attachment.where("((author_id = #{params[:id]} and container_type in('Project','Principal','Course','Issue','Document','Message','News','StudentWorkScore','HomewCommon')) "+
" or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')}))) and (filename like '%#{search}%') ").order("created_on desc")
" or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')}))) and (filename like :p) ",:p=>search).order("created_on desc")
else
user_course_ids = User.find(params[:id]).courses.visible.map { |c| c.id} #如果课程私有资源,那么要看这个资源的课程是不是在 这个user的所有我可见的课程中
@attachments = Attachment.where("((author_id = #{params[:id]} and is_public = 1 and container_type in" +
" ('Project','Principal','Course','Issue','Document','Message','News','StudentWorkScore','HomewCommon'))"+
" or (container_type = 'Course' and is_public = 1 and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) )" +
" and (filename like '%#{search}%') ").order("created_on desc")
" and (filename like :p) ",:p=>search).order("created_on desc")
end
elsif params[:type] == "2" #课程资源
if User.current.id.to_i == params[:id].to_i
user_course_ids = User.current.courses.map { |c| c.id}
@attachments = Attachment.where("(author_id = #{params[:id]} and container_type = 'Course') or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) and (filename like '%#{search}%') ").order("created_on desc")
@attachments = Attachment.where("(author_id = #{params[:id]} and container_type = 'Course') or (container_type = 'Course' and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) and (filename like :p) ",:p=>search).order("created_on desc")
else
user_course_ids = User.find(params[:id]).courses.visible.map { |c| c.id} #如果课程私有资源,那么要看这个资源的课程是不是在 这个user的所有我可见的课程中
@attachments = Attachment.where("((author_id = #{params[:id]} and is_public = 1 and container_type = 'Course') "+
"or (container_type = 'Course' and is_public = 1 and container_id in (#{user_course_ids.empty? ? '0': user_course_ids.join(',')})) )"+
" and (filename like '%#{search}%') ").order("created_on desc")
" and (filename like :p) ",:p=>search).order("created_on desc")
end
elsif params[:type] == "3" #项目资源
if User.current.id.to_i == params[:id].to_i
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Project' and (filename like '%#{search}%')").order("created_on desc")
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Project' and (filename like :p)",:p=>search).order("created_on desc")
else
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Project' and (filename like '%#{search}%') ").order("created_on desc")
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Project' and (filename like :p) ",:p=>search).order("created_on desc")
end
elsif params[:type] == "4" #附件
if User.current.id.to_i == params[:id].to_i
@attachments = Attachment.where("author_id = #{params[:id]} and container_type in('Project','Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like '%#{search}%')").order("created_on desc")
@attachments = Attachment.where("author_id = #{params[:id]} and container_type in('Project','Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like :p)",:p=>search).order("created_on desc")
else
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type in('Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like '%#{search}%')").order("created_on desc")
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type in('Issue','Document','Message','News','StudentWorkScore','HomewCommon') and (filename like :p)",:p=>search).order("created_on desc")
end
elsif params[:type] == "5" #用户资源
if User.current.id.to_i == params[:id].to_i
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Principal' and (filename like '%#{search}%')").order("created_on desc")
@attachments = Attachment.where("author_id = #{params[:id]} and container_type = 'Principal' and (filename like :p)",:p=>search).order("created_on desc")
else
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Principal' and (filename like '%#{search}%')").order("created_on desc")
@attachments = Attachment.where("author_id = #{params[:id]} and is_public = 1 and container_type = 'Principal' and (filename like :p)",:p=>search).order("created_on desc")
end
end
@type = params[:type]