更改：防止sql注入

2023-12-19 15:05:00 +08:00 · 2023-12-19 15:05:00 +08:00 · 26461f3a44
parent 21f559f254
commit 26461f3a44
1 changed files with 2 additions and 2 deletions
--- a/app/controllers/admins/projects_rank_controller.rb
+++ b/app/controllers/admins/projects_rank_controller.rb
@ -25,11 +25,11 @@ class Admins::ProjectsRankController < Admins::BaseController
  end
  def sort_by
-    params.fetch(:sort_by, "score")
+    DailyProjectStatistic.column_names.include?(params.fetch(:sort_by, "score")) ? params.fetch(:sort_by, "score") : "score"
  end
  def sort_direction
-    params.fetch(:sort_direction, "desc")
+    %w(desc asc).include?(params.fetch(:sort_direction, "desc")) ? params.fetch(:sort_direction, "desc") : "desc"
  end
  def export_excel(data)