Skip to content
Permalink
Browse files Browse the repository at this point in the history
SQL injection possibility
  • Loading branch information
arekk committed Nov 17, 2015
1 parent 9e81702 commit 52fd3b2
Showing 1 changed file with 17 additions and 17 deletions.
34 changes: 17 additions & 17 deletions lib/uke/finder.rb
Expand Up @@ -49,12 +49,12 @@ def by_news
SQL

sql.gsub!(':uke_import_id', @active_import.id.to_s)
sql.gsub!(':lat_ne', conn.quote_string(bounds_ne['lat'].to_s))
sql.gsub!(':lat_sw', conn.quote_string(bounds_sw['lat'].to_s))
sql.gsub!(':lon_ne', conn.quote_string(bounds_ne['lng'].to_s))
sql.gsub!(':lon_sw', conn.quote_string(bounds_sw['lng'].to_s))
sql.gsub!(':lat', conn.quote_string(@location.latitude.to_s))
sql.gsub!(':lon', conn.quote_string(@location.longitude.to_s))
sql.gsub!(':lat_ne', conn.quote(bounds_ne['lat'].to_s))
sql.gsub!(':lat_sw', conn.quote(bounds_sw['lat'].to_s))
sql.gsub!(':lon_ne', conn.quote(bounds_ne['lng'].to_s))
sql.gsub!(':lon_sw', conn.quote(bounds_sw['lng'].to_s))
sql.gsub!(':lat', conn.quote(@location.latitude.to_s))
sql.gsub!(':lon', conn.quote(@location.longitude.to_s))

result_to_hash select_using_uke_stations_result(sql)
end
Expand All @@ -77,12 +77,12 @@ def by_location
SQL

sql.gsub!(':uke_import_id', @active_import.id.to_s)
sql.gsub!(':lat_ne', conn.quote_string(bounds_ne['lat'].to_s))
sql.gsub!(':lat_sw', conn.quote_string(bounds_sw['lat'].to_s))
sql.gsub!(':lon_ne', conn.quote_string(bounds_ne['lng'].to_s))
sql.gsub!(':lon_sw', conn.quote_string(bounds_sw['lng'].to_s))
sql.gsub!(':lat', conn.quote_string(@location.latitude.to_s))
sql.gsub!(':lon', conn.quote_string(@location.longitude.to_s))
sql.gsub!(':lat_ne', conn.quote(bounds_ne['lat'].to_s))
sql.gsub!(':lat_sw', conn.quote(bounds_sw['lat'].to_s))
sql.gsub!(':lon_ne', conn.quote(bounds_ne['lng'].to_s))
sql.gsub!(':lon_sw', conn.quote(bounds_sw['lng'].to_s))
sql.gsub!(':lat', conn.quote(@location.latitude.to_s))
sql.gsub!(':lon', conn.quote(@location.longitude.to_s))

result_to_hash select_using_uke_stations_result(sql)
end
Expand All @@ -97,7 +97,7 @@ def by_frq_range
WHERE (f.mhz BETWEEN :mhz_start AND :mhz_end)
SQL

result_to_hash select_using_uke_stations_sql(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':mhz_start', conn.quote_string(first.to_s)).gsub(':mhz_end', conn.quote_string(last.to_s)))
result_to_hash select_using_uke_stations_sql(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':mhz_start', conn.quote(first.to_s)).gsub(':mhz_end', conn.quote(last.to_s)))
end

def by_frq
Expand All @@ -110,7 +110,7 @@ def by_frq
WHERE f.mhz = :mhz
SQL

result_to_hash select_using_uke_stations_sql(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':mhz', conn.quote_string(Uke::Unifier::frq_string(@q).to_s)))
result_to_hash select_using_uke_stations_sql(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':mhz', conn.quote(Uke::Unifier::frq_string(@q).to_s)))
end

def by_string
Expand All @@ -121,10 +121,10 @@ def by_string
FROM uke_stations us
JOIN uke_operators uo on (uo.id = us.uke_operator_id)
WHERE us.uke_import_id = :uke_import_id
AND (us.location LIKE '%:like%' OR us.name LIKE '%:like%' OR uo.name LIKE '%:like%')
AND (us.location LIKE :like OR us.name LIKE :like OR uo.name LIKE :like)
SQL

result_to_hash select_using_uke_stations_sql(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':like', conn.quote_string(@q)))
result_to_hash select_using_uke_stations_sql(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':like', conn.quote('%'+@q.to_s+'%')))
end

def by_frq_order_by_distance
Expand All @@ -149,7 +149,7 @@ def by_frq_order_by_distance
ORDER BY distance ASC
SQL

result_to_hash(conn.select_all(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':lat', conn.quote_string(@location.latitude.to_s)).gsub(':lon', conn.quote_string(@location.longitude.to_s)).gsub(':mhz', conn.quote_string(Uke::Unifier::frq_string(@q).to_s))))
result_to_hash(conn.select_all(sql.gsub(':uke_import_id', @active_import.id.to_s).gsub(':lat', conn.quote(@location.latitude.to_s)).gsub(':lon', conn.quote(@location.longitude.to_s)).gsub(':mhz', conn.quote(Uke::Unifier::frq_string(@q).to_s))))
end

private
Expand Down

0 comments on commit 52fd3b2

Please sign in to comment.