Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Allow limit values to accept an ARel SQL literal.

  • Loading branch information...
commit 7530c5224c77202d62f44a26ae5036d1dc00f579 1 parent 54dca98
@metaskills metaskills authored tenderlove committed
View
10 activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
@@ -253,13 +253,17 @@ def limited_update_conditions(where_sql, quoted_table_name, quoted_primary_key)
# Sanitizes the given LIMIT parameter in order to prevent SQL injection.
#
- # +limit+ may be anything that can evaluate to a string via #to_s. It
- # should look like an integer, or a comma-delimited list of integers.
+ # The +limit+ may be anything that can evaluate to a string via #to_s. It
+ # should look like an integer, or a comma-delimited list of integers, or
+ # an Arel SQL literal.
#
+ # Returns Integer and Arel::Nodes::SqlLiteral limits as is.
# Returns the sanitized limit parameter, either as an integer, or as a
# string which contains a comma-delimited list of integers.
def sanitize_limit(limit)
- if limit.to_s =~ /,/
+ if limit.is_a?(Integer) || limit.is_a?(Arel::Nodes::SqlLiteral)
+ limit
+ elsif limit.to_s =~ /,/
Arel.sql limit.to_s.split(',').map{ |i| Integer(i) }.join(',')
else
Integer(limit)
View
10 activerecord/test/cases/base_test.rb
@@ -48,7 +48,7 @@ class Boolean < ActiveRecord::Base; end
class BasicsTest < ActiveRecord::TestCase
fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
- unless current_adapter?(:PostgreSQLAdapter) || current_adapter?(:OracleAdapter)
+ unless current_adapter?(:PostgreSQLAdapter,:OracleAdapter,:SQLServerAdapter)
def test_limit_with_comma
assert_nothing_raised do
Topic.limit("1,2").all
@@ -83,7 +83,13 @@ def test_limit_should_sanitize_sql_injection_for_limit_with_comas
Topic.limit("1, 7 procedure help()").all
end
end
-
+
+ unless current_adapter?(:MysqlAdapter)
+ def test_limit_should_allow_sql_literal
+ assert_equal 1, Topic.limit(Arel.sql('2-1')).all.length
+ end
+ end
+
def test_select_symbol
topic_ids = Topic.select(:id).map(&:id).sort
assert_equal Topic.find(:all).map(&:id).sort, topic_ids
Please sign in to comment.
Something went wrong with that request. Please try again.