Merge pull request #13008 from ktheory/sanitize_order

Support SQL sanitization in AR::QueryMethods#order
author: Sean Griffin <sean@seantheprogrammer.com> 2015-10-29 14:38:42 -0600
committer: Sean Griffin <sean@seantheprogrammer.com> 2015-10-29 15:29:06 -0600
commit: 6a6dbb4c51fb0c58ba1a810eaa552774167b758a (patch)
tree: 7be0178e37465f01685d46d17c1f7d6bae787bf5 /activerecord/lib/active_record/relation/query_methods.rb
parent: 42eb37ab514060c4217ad2dd845d3bf05007db0f (diff)
parent: b1737337e6b6218ae966b57e9484ae7d3aaff7e4 (diff)
download: rails-6a6dbb4c51fb0c58ba1a810eaa552774167b758a.tar.gz
rails-6a6dbb4c51fb0c58ba1a810eaa552774167b758a.tar.bz2
rails-6a6dbb4c51fb0c58ba1a810eaa552774167b758a.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index f5afc1000d..ad6c7fa2e5 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1045,6 +1045,13 @@ module ActiveRecord
     end
 
     def preprocess_order_args(order_args)
+      order_args.map! do |arg|
+        if arg.is_a?(Array) && arg.first.to_s.include?('?')
+          klass.send(:sanitize_sql, arg)
+        else
+          arg
+        end
+      end
       order_args.flatten!
       validate_order_args(order_args)
author	Sean Griffin <sean@seantheprogrammer.com>	2015-10-29 14:38:42 -0600
committer	Sean Griffin <sean@seantheprogrammer.com>	2015-10-29 15:29:06 -0600
commit	6a6dbb4c51fb0c58ba1a810eaa552774167b758a (patch)
tree	7be0178e37465f01685d46d17c1f7d6bae787bf5 /activerecord/lib/active_record/relation/query_methods.rb
parent	42eb37ab514060c4217ad2dd845d3bf05007db0f (diff)
parent	b1737337e6b6218ae966b57e9484ae7d3aaff7e4 (diff)
download	rails-6a6dbb4c51fb0c58ba1a810eaa552774167b758a.tar.gz rails-6a6dbb4c51fb0c58ba1a810eaa552774167b758a.tar.bz2 rails-6a6dbb4c51fb0c58ba1a810eaa552774167b758a.zip