1. 技术文章
  2. Rails ActiveRecord - Search on Multiple Attributes

Rails ActiveRecord - Search on Multiple Attributes

一个人想着一个人 提交于 2019-12-12 07:57:57

问题


I'm implementing a simple search function that should check for a string in either the username, last_name and first_name. I've seen this ActiveRecord method on an old RailsCast:

http://railscasts.com/episodes/37-simple-search-form

find(:all, :conditions => ['name LIKE ?', "%#{search}%"])

But how do I make it so that it searches for the keyword in name, last_name and first name and returns the record if the one of the fields matched the term?

I'm also wondering if the code on the RailsCast is prone to SQL injections?

Thanks a lot!


回答1:


I assumed your model name is Model - just replace it with your real model name when you do the actual query:

Model.where("name LIKE ? OR last_name LIKE ? OR first_name LIKE ?", "%#{search}%","%#{search}%","%#{search}%")

About your worries about SQL injections - both of code snippets are immune to SQL injections. As long as you do not directly embed strings into your WHERE clause you are fine. An example for injection-prone code would be:

Model.where("name LIKE '#{params[:name]}'")



回答2:


Although the selected answer will work, I noticed that it breaks if you try to type a search "Raul Riera" because it will fail on both cases, because Raul Riera is not either my first name or my last name.. is my first and last name... I solved it by doing

Model.where("lower(first_name || ' ' || last_name) LIKE ?", "%#{search.downcase}%")



回答3:


With Arel, you can avoid writing the SQL manually with something like this:

Model.where(
  %i(name first_name last_name)
    .map { |field| Model.arel_table[field].matches("%#{query}%")}
    .inject(:or)
)

This would be particularly useful if the list of fields to match against was dynamic.




回答4:


The best way to do this is:

Model.where("attr_a ILIKE :query OR attr_b ILIKE :query", query: "%#{query}%")



回答5:


A more generic solution for searching in all fields of the model would be like this

def search_in_all_fields model, text
  model.where(
    model.column_names
      .map {|field| "#{field} like '%#{text}%'" }
      .join(" or ")
  )
end

Or better as a scope in the model itself

class Model < ActiveRecord::Base
  scope :search_in_all_fields, ->(text){
    where(
      column_names
        .map {|field| "#{field} like '%#{text}%'" }
        .join(" or ")
    )
  }
end

You would just need to call it like this

Model.search_in_all_fields "test"

Before you start.., no, sql injection would probably not work here but still better and shorter

class Model < ActiveRecord::Base
  scope :search_all_fields, ->(text){
    where("#{column_names.join(' || ')} like ?", "%#{text}%")
  }
end


来源:https://stackoverflow.com/questions/11816919/rails-activerecord-search-on-multiple-attributes

标签
ruby-on-rails
ruby-on-rails-3
search
activerecord
sql-injection
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!