diff options
author | Rob Gilson <thatotherdude@gmail.com> | 2014-02-27 13:34:21 -0500 |
---|---|---|
committer | Yves Senn <yves.senn@gmail.com> | 2014-04-16 14:32:02 +0200 |
commit | fe4b0eee05f59831e1468ed50f55fbad0ce11e1d (patch) | |
tree | 41794c701daa3067d11ad7faa77bff7b75bebfc1 /activerecord/lib/active_record/sanitization.rb | |
parent | d46771b6fe19302a8808e230bd2fee98d07b87c4 (diff) | |
download | rails-fe4b0eee05f59831e1468ed50f55fbad0ce11e1d.tar.gz rails-fe4b0eee05f59831e1468ed50f55fbad0ce11e1d.tar.bz2 rails-fe4b0eee05f59831e1468ed50f55fbad0ce11e1d.zip |
SQL Like escaping helper method. [Rob Gilson & Yves Senn]
Closes #14222.
This is a follow up to #6104
This does not have the backwards compatibility issues brought up in
implementation to break.
Diffstat (limited to 'activerecord/lib/active_record/sanitization.rb')
-rw-r--r-- | activerecord/lib/active_record/sanitization.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb index 5a71c13d91..ef63949208 100644 --- a/activerecord/lib/active_record/sanitization.rb +++ b/activerecord/lib/active_record/sanitization.rb @@ -107,6 +107,12 @@ module ActiveRecord end.join(', ') end + # Sanitizes a +string+ so that it is safe to use within a sql + # LIKE statement. This method uses +escape_character+ to escape all occurrences of "\", "_" and "%" + def sanitize_sql_like(string, escape_character = "\\") + string.gsub(/[\\_%]/) { |x| [escape_character, x].join } + end + # Accepts an array of conditions. The array has each value # sanitized and interpolated into the SQL statement. # ["name='%s' and group_id='%s'", "foo'bar", 4] returns "name='foo''bar' and group_id='4'" |