From 973a45230ab5ba0e096585ecd1403a13569a1348 Mon Sep 17 00:00:00 2001 From: Yves Senn Date: Wed, 16 Apr 2014 16:45:10 +0200 Subject: `sanitize_sql_like` escapes `escape_character` not only backslash. * This is a follow up to: fe4b0eee05f59831e1468ed50f55fbad0ce11e1d * The originating PR is #14222 * It should fix the build --- activerecord/lib/active_record/sanitization.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'activerecord/lib') diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb index ef63949208..be62e41932 100644 --- a/activerecord/lib/active_record/sanitization.rb +++ b/activerecord/lib/active_record/sanitization.rb @@ -110,7 +110,8 @@ module ActiveRecord # Sanitizes a +string+ so that it is safe to use within a sql # LIKE statement. This method uses +escape_character+ to escape all occurrences of "\", "_" and "%" def sanitize_sql_like(string, escape_character = "\\") - string.gsub(/[\\_%]/) { |x| [escape_character, x].join } + pattern = Regexp.union(escape_character, "%", "_") + string.gsub(pattern) { |x| [escape_character, x].join } end # Accepts an array of conditions. The array has each value -- cgit v1.2.3