@@ -1,3 +1,8 @@ +*Edge* + +* Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess] + + *2.1.0 (May 31st, 2008)* * Add ActiveRecord::Base.sti_name that checks ActiveRecord::Base#store_full_sti_class? and returns either the full or demodulized name. [rick] activerecord/CHANGELOG @@ -336,10 +336,11 @@ module ActiveRecord def add_limit_offset!(sql, options) #:nodoc: if limit = options[:limit] + limit = sanitize_limit(limit) unless offset = options[:offset] sql << " LIMIT #{limit}" else - sql << " LIMIT #{offset}, #{limit}" + sql << " LIMIT #{offset.to_i}, #{limit}" end end end activerecord/lib/active_record/connection_adapters/mysql_adapter.rb @@ -118,7 +118,7 @@ class AdapterTest < ActiveRecord::TestCase sql_inject = "1, 7 procedure help()" if current_adapter?(:MysqlAdapter) assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject) - assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7) + assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=> '1 ; DROP TABLE USERS', :offset=>7) else assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject) assert_equal " LIMIT 1,7 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7) activerecord/test/cases/adapter_test.rb 71528b1825ce5184b23d09f923cb72f4073ce8ed David Heinemeier Hansson david@loudthinking.com http://github.com/rails/rails/commit/3282bf3b5016f0c9028cfff1012e8c31a13b40b7 3282bf3b5016f0c9028cfff1012e8c31a13b40b7 2008-06-01T09:15:11-07:00 2008-06-01T09:15:11-07:00 Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess] 164119185308c4838a405a0034f67f924ee7d181 David Heinemeier Hansson david@loudthinking.com