prevent sql injection attacks by escaping quotes in column names
This commit is contained in:
parent
b0555bb88b
commit
8a39f411dc
|
@ -169,7 +169,7 @@ module ActiveRecord
|
|||
end
|
||||
|
||||
def quote_column_name(name) #:nodoc:
|
||||
@quoted_column_names[name] ||= "`#{name}`"
|
||||
@quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
|
||||
end
|
||||
|
||||
def quote_table_name(name) #:nodoc:
|
||||
|
|
|
@ -250,7 +250,7 @@ module ActiveRecord
|
|||
end
|
||||
|
||||
def quote_column_name(name) #:nodoc:
|
||||
@quoted_column_names[name] ||= "`#{name}`"
|
||||
@quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
|
||||
end
|
||||
|
||||
def quote_table_name(name) #:nodoc:
|
||||
|
|
|
@ -148,7 +148,7 @@ module ActiveRecord
|
|||
end
|
||||
|
||||
def quote_column_name(name) #:nodoc:
|
||||
%Q("#{name}")
|
||||
%Q("#{name.to_s.gsub('"', '""')}")
|
||||
end
|
||||
|
||||
# Quote date/time values for use in SQL input. Includes microseconds
|
||||
|
|
|
@ -67,6 +67,23 @@ end
|
|||
class BasicsTest < ActiveRecord::TestCase
|
||||
fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
|
||||
|
||||
def test_column_names_are_escaped
|
||||
conn = ActiveRecord::Base.connection
|
||||
classname = conn.class.name[/[^:]*$/]
|
||||
badchar = {
|
||||
'SQLite3Adapter' => '"',
|
||||
'MysqlAdapter' => '`',
|
||||
'Mysql2Adapter' => '`',
|
||||
'PostgreSQLAdapter' => '"',
|
||||
'OracleAdapter' => '"',
|
||||
}.fetch(classname) {
|
||||
raise "need a bad char for #{classname}"
|
||||
}
|
||||
|
||||
quoted = conn.quote_column_name "foo#{badchar}bar"
|
||||
assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
|
||||
end
|
||||
|
||||
def test_columns_should_obey_set_primary_key
|
||||
pk = Subscriber.columns.find { |x| x.name == 'nick' }
|
||||
assert pk.primary, 'nick should be primary key'
|
||||
|
|
Loading…
Reference in New Issue