Skip to content
This repository
Browse code

Allow limit values to accept an ARel SQL literal.

  • Loading branch information...
commit 7530c5224c77202d62f44a26ae5036d1dc00f579 1 parent 54dca98
Ken Collins authored February 09, 2011 tenderlove committed February 09, 2011
10  activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb
@@ -253,13 +253,17 @@ def limited_update_conditions(where_sql, quoted_table_name, quoted_primary_key)
253 253
 
254 254
       # Sanitizes the given LIMIT parameter in order to prevent SQL injection.
255 255
       #
256  
-      # +limit+ may be anything that can evaluate to a string via #to_s. It
257  
-      # should look like an integer, or a comma-delimited list of integers.
  256
+      # The +limit+ may be anything that can evaluate to a string via #to_s. It
  257
+      # should look like an integer, or a comma-delimited list of integers, or 
  258
+      # an Arel SQL literal.
258 259
       #
  260
+      # Returns Integer and Arel::Nodes::SqlLiteral limits as is. 
259 261
       # Returns the sanitized limit parameter, either as an integer, or as a
260 262
       # string which contains a comma-delimited list of integers.
261 263
       def sanitize_limit(limit)
262  
-        if limit.to_s =~ /,/
  264
+        if limit.is_a?(Integer) || limit.is_a?(Arel::Nodes::SqlLiteral)
  265
+          limit
  266
+        elsif limit.to_s =~ /,/
263 267
           Arel.sql limit.to_s.split(',').map{ |i| Integer(i) }.join(',')
264 268
         else
265 269
           Integer(limit)
10  activerecord/test/cases/base_test.rb
@@ -48,7 +48,7 @@ class Boolean < ActiveRecord::Base; end
48 48
 class BasicsTest < ActiveRecord::TestCase
49 49
   fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts
50 50
 
51  
-  unless current_adapter?(:PostgreSQLAdapter) || current_adapter?(:OracleAdapter)
  51
+  unless current_adapter?(:PostgreSQLAdapter,:OracleAdapter,:SQLServerAdapter)
52 52
     def test_limit_with_comma
53 53
       assert_nothing_raised do
54 54
         Topic.limit("1,2").all
@@ -83,7 +83,13 @@ def test_limit_should_sanitize_sql_injection_for_limit_with_comas
83 83
       Topic.limit("1, 7 procedure help()").all
84 84
     end
85 85
   end
86  
-
  86
+  
  87
+  unless current_adapter?(:MysqlAdapter)
  88
+    def test_limit_should_allow_sql_literal
  89
+      assert_equal 1, Topic.limit(Arel.sql('2-1')).all.length
  90
+    end
  91
+  end
  92
+  
87 93
   def test_select_symbol
88 94
     topic_ids = Topic.select(:id).map(&:id).sort
89 95
     assert_equal Topic.find(:all).map(&:id).sort, topic_ids

0 notes on commit 7530c52

Please sign in to comment.
Something went wrong with that request. Please try again.