From a53935dfa0538fba0ab805f1a2c4ca2c421ed5e1 Mon Sep 17 00:00:00 2001
From: Noemj <olli.rissanen@helsinki.fi>
Date: Wed, 30 Jan 2013 14:55:01 +0200
Subject: [PATCH] Changed update_record to use prepared statements.

---
 activerecord/lib/active_record/persistence.rb | 15 ++++++++++++---
 activerecord/test/cases/adapter_test.rb       | 14 ++++++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/activerecord/lib/active_record/persistence.rb b/activerecord/lib/active_record/persistence.rb
index 1b2aa9349e075..0022cfcd464db 100644
--- a/activerecord/lib/active_record/persistence.rb
+++ b/activerecord/lib/active_record/persistence.rb
@@ -418,13 +418,22 @@ def create_or_update
     # Returns the number of affected rows.
     def update_record(attribute_names = @attributes.keys)
       attributes_with_values = arel_attributes_with_values_for_update(attribute_names)
-
       if attributes_with_values.empty?
         0
       else
         klass = self.class
-        stmt = klass.unscoped.where(klass.arel_table[klass.primary_key].eq(id)).arel.compile_update(attributes_with_values)
-        klass.connection.update stmt
+        column_hash = klass.connection.schema_cache.columns_hash klass.table_name
+        db_columns_with_values = attributes_with_values.map { |attr,value|
+          real_column = column_hash[attr.name]
+          [real_column, value]
+        }
+        bind_attrs = attributes_with_values.dup
+        bind_attrs.keys.each_with_index do |column, i|
+          real_column = db_columns_with_values[i].first
+          bind_attrs[column] = klass.connection.substitute_at(real_column, i)
+        end
+        stmt = klass.unscoped.where(klass.arel_table[klass.primary_key].eq(id)).arel.compile_update(bind_attrs)
+        klass.connection.update stmt, 'SQL', db_columns_with_values
       end
     end
 
diff --git a/activerecord/test/cases/adapter_test.rb b/activerecord/test/cases/adapter_test.rb
index f9149c1819537..0af7cbf74fbf3 100644
--- a/activerecord/test/cases/adapter_test.rb
+++ b/activerecord/test/cases/adapter_test.rb
@@ -1,4 +1,5 @@
 require "cases/helper"
+require "models/book"
 
 module ActiveRecord
   class AdapterTest < ActiveRecord::TestCase
@@ -6,6 +7,19 @@ def setup
       @connection = ActiveRecord::Base.connection
     end
 
+    ##
+    # PostgreSQL does not support null bytes in strings
+    unless current_adapter?(:PostgreSQLAdapter)
+      def test_update_prepared_statement
+        b = Book.create(name: "my \x00 book")
+        b.reload
+        assert_equal "my \x00 book", b.name
+        b.update_attributes(name: "my other \x00 book")
+        b.reload
+        assert_equal "my other \x00 book", b.name
+      end
+    end
+
     def test_tables
       tables = @connection.tables
       assert tables.include?("accounts")