Add documentation for AbstractAdapter#sanitize_limit, and make its code more readable.

Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#1068 status:committed]

1 files changed, 15 insertions, 4 deletions

diff --git a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
index 10dc1a81f3..97c6cd4331 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
@@ -120,10 +120,6 @@ module ActiveRecord
         sql
       end
 
-      def sanitize_limit(limit)
-        limit.to_s[/,/] ? limit.split(',').map{ |i| i.to_i }.join(',') : limit.to_i
-      end
-
       # Appends a locking clause to an SQL statement.
       # This method *modifies* the +sql+ parameter.
       #   # SELECT * FROM suppliers FOR UPDATE
@@ -185,6 +181,21 @@ module ActiveRecord
         def delete_sql(sql, name = nil)
           update_sql(sql, name)
         end
+
+        # Sanitizes the given LIMIT parameter in order to prevent SQL injection.
+        #
+        # +limit+ may be anything that can evaluate to a string via #to_s. It
+        # should look like an integer, or a comma-delimited list of integers.
+        #
+        # Returns the sanitized limit parameter, either as an integer, or as a
+        # string which contains a comma-delimited list of integers.
+        def sanitize_limit(limit)
+          if limit.to_s =~ /,/
+            limit.to_s.split(',').map{ |i| i.to_i }.join(',')
+          else
+            limit.to_i
+          end
+        end
     end
   end
 end