From ef0ea782b1f5cf7b08e74ea3002a16c708f66645 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sat, 31 May 2008 16:57:46 -0700
Subject: Added SQL escaping for :limit and :offset [#288 state:closed] (Aaron
 Bedra, Steven Bristol, Jonathan Wiess)

---
 .../connection_adapters/abstract/database_statements.rb          | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'activerecord/lib/active_record')

diff --git a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
index 16d405d3bd..5358491cde 100644
--- a/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
+++ b/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
@@ -106,11 +106,16 @@ module ActiveRecord
       #  SELECT * FROM suppliers LIMIT 10 OFFSET 50
       def add_limit_offset!(sql, options)
         if limit = options[:limit]
-          sql << " LIMIT #{limit}"
+          sql << " LIMIT #{sanitize_limit(limit)}"
           if offset = options[:offset]
-            sql << " OFFSET #{offset}"
+            sql << " OFFSET #{offset.to_i}"
           end
         end
+        sql
+      end
+
+      def sanitize_limit(limit)
+        limit.to_s[/,/] ? limit.split(',').map{ |i| i.to_i }.join(',') : limit.to_i
       end
 
       # Appends a locking clause to an SQL statement.
-- 
cgit v1.2.3