Skip to content
Permalink
Browse files Browse the repository at this point in the history
prevent sql injection attacks by escaping quotes in column names
  • Loading branch information
tenderlove committed Aug 16, 2011
1 parent b0555bb commit 8a39f41
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 3 deletions.
Expand Up @@ -169,7 +169,7 @@ def quote(value, column = nil)
end

def quote_column_name(name) #:nodoc:
@quoted_column_names[name] ||= "`#{name}`"
@quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
end

def quote_table_name(name) #:nodoc:
Expand Down
Expand Up @@ -250,7 +250,7 @@ def type_cast(value, column)
end

def quote_column_name(name) #:nodoc:
@quoted_column_names[name] ||= "`#{name}`"
@quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
end

def quote_table_name(name) #:nodoc:
Expand Down
Expand Up @@ -148,7 +148,7 @@ def quote_string(s) #:nodoc:
end

def quote_column_name(name) #:nodoc:
%Q("#{name}")
%Q("#{name.to_s.gsub('"', '""')}")
end

# Quote date/time values for use in SQL input. Includes microseconds
Expand Down
17 changes: 17 additions & 0 deletions activerecord/test/cases/base_test.rb
Expand Up @@ -67,6 +67,23 @@ def setup
class BasicsTest < ActiveRecord::TestCase
fixtures :topics, :companies, :developers, :projects, :computers, :accounts, :minimalistics, 'warehouse-things', :authors, :categorizations, :categories, :posts

def test_column_names_are_escaped
conn = ActiveRecord::Base.connection
classname = conn.class.name[/[^:]*$/]
badchar = {
'SQLite3Adapter' => '"',
'MysqlAdapter' => '`',
'Mysql2Adapter' => '`',
'PostgreSQLAdapter' => '"',
'OracleAdapter' => '"',
}.fetch(classname) {
raise "need a bad char for #{classname}"
}

quoted = conn.quote_column_name "foo#{badchar}bar"
assert_equal("#{badchar}foo#{badchar * 2}bar#{badchar}", quoted)
end

def test_columns_should_obey_set_primary_key
pk = Subscriber.columns.find { |x| x.name == 'nick' }
assert pk.primary, 'nick should be primary key'
Expand Down

0 comments on commit 8a39f41

Please sign in to comment.