From 3282bf3b5016f0c9028cfff1012e8c31a13b40b7 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sun, 1 Jun 2008 09:15:11 -0700
Subject: Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess]

---
 activerecord/CHANGELOG                                              | 5 +++++
 activerecord/lib/active_record/connection_adapters/mysql_adapter.rb | 3 ++-
 activerecord/test/cases/adapter_test.rb                             | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/activerecord/CHANGELOG b/activerecord/CHANGELOG
index 1c7c977141..a65771648e 100644
--- a/activerecord/CHANGELOG
+++ b/activerecord/CHANGELOG
@@ -1,3 +1,8 @@
+*Edge*
+
+* Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess]
+
+
 *2.1.0 (May 31st, 2008)*
 
 * Add ActiveRecord::Base.sti_name that checks ActiveRecord::Base#store_full_sti_class? and returns either the full or demodulized name. [rick]
diff --git a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
index f00a2c8950..653b45021d 100755
--- a/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
+++ b/activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
@@ -336,10 +336,11 @@ module ActiveRecord
 
       def add_limit_offset!(sql, options) #:nodoc:
         if limit = options[:limit]
+          limit = sanitize_limit(limit)
           unless offset = options[:offset]
             sql << " LIMIT #{limit}"
           else
-            sql << " LIMIT #{offset}, #{limit}"
+            sql << " LIMIT #{offset.to_i}, #{limit}"
           end
         end
       end
diff --git a/activerecord/test/cases/adapter_test.rb b/activerecord/test/cases/adapter_test.rb
index c77446f880..11f9870534 100644
--- a/activerecord/test/cases/adapter_test.rb
+++ b/activerecord/test/cases/adapter_test.rb
@@ -118,7 +118,7 @@ class AdapterTest < ActiveRecord::TestCase
     sql_inject = "1, 7 procedure help()"
     if current_adapter?(:MysqlAdapter)
       assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
-      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
+      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=> '1 ; DROP TABLE USERS', :offset=>7)
     else
       assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
       assert_equal " LIMIT 1,7 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
-- 
cgit v1.2.3