prevent sql injection attacks by escaping quotes in column names

author: Aaron Patterson <aaron.patterson@gmail.com> 2011-08-16 15:17:17 -0700
committer: Aaron Patterson <aaron.patterson@gmail.com> 2011-08-16 15:24:42 -0700
commit: 8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 (patch)
tree: ce6455266bdf1e0e94d17cad23e2159a216daaa6 /activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
parent: b0555bb88b090ca981fcc7661b6f9ea333e7f42e (diff)
download: rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.tar.gz
rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.tar.bz2
rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
index a44ac08ce4..b844e5ab10 100644
--- a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+++ b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -250,7 +250,7 @@ module ActiveRecord
       end
 
       def quote_column_name(name) #:nodoc:
-        @quoted_column_names[name] ||= "`#{name}`"
+        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
       end
 
       def quote_table_name(name) #:nodoc:
author	Aaron Patterson <aaron.patterson@gmail.com>	2011-08-16 15:17:17 -0700
committer	Aaron Patterson <aaron.patterson@gmail.com>	2011-08-16 15:24:42 -0700
commit	8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 (patch)
tree	ce6455266bdf1e0e94d17cad23e2159a216daaa6 /activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
parent	b0555bb88b090ca981fcc7661b6f9ea333e7f42e (diff)
download	rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.tar.gz rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.tar.bz2 rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.zip