Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess]

activerecord/CHANGELOG

@@ -1,3 +1,8 @@
+*Edge*
+
+* Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess]
+
+
 *2.1.0 (May 31st, 2008)*
 
 * Add ActiveRecord::Base.sti_name that checks ActiveRecord::Base#store_full_sti_class? and returns either the full or demodulized name. [rick]

activerecord/lib/active_record/connection_adapters/mysql_adapter.rb

@@ -336,10 +336,11 @@ module ActiveRecord
 
       def add_limit_offset!(sql, options) #:nodoc:
         if limit = options[:limit]
+          limit = sanitize_limit(limit)
           unless offset = options[:offset]
             sql << " LIMIT #{limit}"
           else
-            sql << " LIMIT #{offset}, #{limit}"
+            sql << " LIMIT #{offset.to_i}, #{limit}"
           end
         end
       end

activerecord/test/cases/adapter_test.rb

@@ -118,7 +118,7 @@ class AdapterTest < ActiveRecord::TestCase
     sql_inject = "1, 7 procedure help()"
     if current_adapter?(:MysqlAdapter)
       assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
-      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
+      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=> '1 ; DROP TABLE USERS', :offset=>7)
     else
       assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
       assert_equal " LIMIT 1,7 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)