diff options
author | Jamis Buck <jamis@37signals.com> | 2006-07-27 18:29:49 +0000 |
---|---|---|
committer | Jamis Buck <jamis@37signals.com> | 2006-07-27 18:29:49 +0000 |
commit | 99e9faeda8f039d34e9eeab319e8adc13cb9bc86 (patch) | |
tree | 318d2714fedd28cd90efc91c1b859286317e5241 /activerecord/lib/active_record | |
parent | d70d5219554b55b24586d559bd39d829317d523d (diff) | |
download | rails-99e9faeda8f039d34e9eeab319e8adc13cb9bc86.tar.gz rails-99e9faeda8f039d34e9eeab319e8adc13cb9bc86.tar.bz2 rails-99e9faeda8f039d34e9eeab319e8adc13cb9bc86.zip |
Patch sql injection vulnerability when using integer or float columns.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'activerecord/lib/active_record')
-rw-r--r-- | activerecord/lib/active_record/connection_adapters/abstract/quoting.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb index 1c1b00252c..94d1d9c43f 100644 --- a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb +++ b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb @@ -11,7 +11,8 @@ module ActiveRecord when String if column && column.type == :binary && column.class.respond_to?(:string_to_binary) "'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode) - elsif column && [:integer, :float].include?(column.type) + elsif column && [:integer, :float].include?(column.type) + value = column.type == :integer ? value.to_i : value.to_f value.to_s else "'#{quote_string(value)}'" # ' (for ruby-mode) |