diff options
author | yui-knk <spiketeika@gmail.com> | 2015-09-25 08:49:57 +0900 |
---|---|---|
committer | yui-knk <spiketeika@gmail.com> | 2015-09-25 08:49:57 +0900 |
commit | 14d265217a40a98f430961fd5e32713176ceccf9 (patch) | |
tree | 2b4804160e37e5fb6dcf3a360190bcf38feee2cf | |
parent | 4a375a83deab7a3089e718a1d18ddc4c2846cd40 (diff) | |
download | rails-14d265217a40a98f430961fd5e32713176ceccf9.tar.gz rails-14d265217a40a98f430961fd5e32713176ceccf9.tar.bz2 rails-14d265217a40a98f430961fd5e32713176ceccf9.zip |
Quote prepared statements of `sanitize_sql_array`
Sure unquoted SQL code pass test, but this % style prepared statements
are dangerous. Test codes and code examples are also "Rails" codes,
so quote placeholder of prepared statements.
-rw-r--r-- | activerecord/test/cases/sanitize_test.rb | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/activerecord/test/cases/sanitize_test.rb b/activerecord/test/cases/sanitize_test.rb index 262e0abc22..14e392ac30 100644 --- a/activerecord/test/cases/sanitize_test.rb +++ b/activerecord/test/cases/sanitize_test.rb @@ -9,11 +9,11 @@ class SanitizeTest < ActiveRecord::TestCase def test_sanitize_sql_array_handles_string_interpolation quoted_bambi = ActiveRecord::Base.connection.quote_string("Bambi") - assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=%s", "Bambi"]) - assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=%s", "Bambi".mb_chars]) + assert_equal "name='#{quoted_bambi}'", Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi"]) + assert_equal "name='#{quoted_bambi}'", Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi".mb_chars]) quoted_bambi_and_thumper = ActiveRecord::Base.connection.quote_string("Bambi\nand\nThumper") - assert_equal "name=#{quoted_bambi_and_thumper}",Binary.send(:sanitize_sql_array, ["name=%s", "Bambi\nand\nThumper"]) - assert_equal "name=#{quoted_bambi_and_thumper}",Binary.send(:sanitize_sql_array, ["name=%s", "Bambi\nand\nThumper".mb_chars]) + assert_equal "name='#{quoted_bambi_and_thumper}'",Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi\nand\nThumper"]) + assert_equal "name='#{quoted_bambi_and_thumper}'",Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi\nand\nThumper".mb_chars]) end def test_sanitize_sql_array_handles_bind_variables |