diff options
| author | Aaron Patterson <aaron.patterson@gmail.com> | 2011-08-16 15:17:17 -0700 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2011-08-16 15:24:42 -0700 |
| commit | 8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 (patch) | |
| tree | ce6455266bdf1e0e94d17cad23e2159a216daaa6 /activerecord/test/cases/base_test.rb | |
| parent | b0555bb88b090ca981fcc7661b6f9ea333e7f42e (diff) | |
| download | rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.tar.gz rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.tar.bz2 rails-8a39f411dc3c806422785b1f4d5c7c9d58e4bf85.zip | |
prevent sql injection attacks by escaping quotes in column names
Diffstat (limited to 'activerecord/test/cases/base_test.rb')
| -rw-r--r-- | activerecord/test/cases/base_test.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/activerecord/test/cases/base_test.rb b/activerecord/test/cases/base_test.rb index b8ebabfe70..fe46c00b47 100644 --- a/activerecord/test/cases/base_test.rb +++ b/activerecord/test/cases/base_test.rb @@ -67,6 +67,23 @@ end class BasicsTest < ActiveRecord::TestCase fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts + def test_column_names_are_escaped + conn = ActiveRecord::Base.connection + classname = conn.class.name[/[^:]*$/] + badchar = { + 'SQLite3Adapter' => '"', + 'MysqlAdapter' => '`', + 'Mysql2Adapter' => '`', + 'PostgreSQLAdapter' => '"', + 'OracleAdapter' => '"', + }.fetch(classname) { + raise "need a bad char for #{classname}" + } + + quoted = conn.quote_column_name "foo#{badchar}bar" + assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted) + end + def test_columns_should_obey_set_primary_key pk = Subscriber.columns.find { |x| x.name == 'nick' } assert pk.primary, 'nick should be primary key' |