From 3e7d191e6450a3050976c735b0efc11b8a0aee93 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Tue, 7 Dec 2004 10:37:50 +0000
Subject: Added bind-style variable interpolation for the condition arrays that
 uses the adapter's quote method [Michael Koziarski]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@56 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 activerecord/lib/active_record/base.rb | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

(limited to 'activerecord/lib')

diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb
index 1ebc843274..a45480945e 100755
--- a/activerecord/lib/active_record/base.rb
+++ b/activerecord/lib/active_record/base.rb
@@ -67,7 +67,7 @@ module ActiveRecord #:nodoc:
   #     end
   # 
   #     def self.authenticate_safely(user_name, password)
-  #       find_first([ "user_name = '%s' AND password = '%s'", user_name, password ])
+  #       find_first([ "user_name = ? AND password = ?", user_name, password ])
   #     end
   #   end
   # 
@@ -76,10 +76,6 @@ module ActiveRecord #:nodoc:
   # on the other hand, will sanitize the <tt>user_name</tt> and +password+ before inserting them in the query, which will ensure that
   # an attacker can't escape the query and fake the login (or worse).
   #
-  # Beware, that the approach used in <tt>authenticate_unsafely</tt> is basically just a wrapped call to sprintf. This means that you
-  # still have to quote when using %s or use %d instead. So find_first([ "firm_id = %s", firm_id ]) is _not_ safe while both
-  # find_first([ "firm_id = '%s'", firm_id ]) and find_first([ "firm_id = %d", firm_id ]) are.
-  # 
   # == Overwriting default accessors
   # 
   # All column values are automatically available through basic accessors on the Active Record object, but some times you
@@ -636,13 +632,21 @@ module ActiveRecord #:nodoc:
         # Accepts either a condition array or string. The string is returned untouched, but the array has each of
         # the condition values sanitized.
         def sanitize_conditions(conditions)
-          if Array === conditions
-            statement, values = conditions[0], conditions[1..-1]
-            values.collect! { |value| sanitize(value) }
-            conditions = statement % values
+          return conditions unless conditions.is_a?(Array)
+
+          statement, values = conditions[0], conditions[1..-1]
+
+          statement =~ /\?/ ?
+            replace_bind_variables(statement, values) :
+            statement % values.collect { |value| sanitize(value) }
+        end
+
+        def replace_bind_variables(statement, values)
+          while statement =~ /\?/
+            statement.sub!(/\?/, connection.quote(values.shift))
           end
-          
-          return conditions
+	
+  		    return statement
         end
     end
 
-- 
cgit v1.2.3