From 99e9faeda8f039d34e9eeab319e8adc13cb9bc86 Mon Sep 17 00:00:00 2001
From: Jamis Buck <jamis@37signals.com>
Date: Thu, 27 Jul 2006 18:29:49 +0000
Subject: Patch sql injection vulnerability when using integer or float
 columns.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4626 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 activerecord/lib/active_record/connection_adapters/abstract/quoting.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'activerecord/lib/active_record/connection_adapters/abstract')

diff --git a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
index 1c1b00252c..94d1d9c43f 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb
@@ -11,7 +11,8 @@ module ActiveRecord
           when String
             if column && column.type == :binary && column.class.respond_to?(:string_to_binary)
               "'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode)
-            elsif column && [:integer, :float].include?(column.type) 
+            elsif column && [:integer, :float].include?(column.type)
+              value = column.type == :integer ? value.to_i : value.to_f
               value.to_s
             else
               "'#{quote_string(value)}'" # ' (for ruby-mode)
-- 
cgit v1.2.3