New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AR SQL escaping issue #4037
Comments
This is a problem with escaping. Normal PG escape will not change the backslash since it has no meaning. Unfortunately using the string in terms of a regexp gives the backslash meaning. This patch will demo the error: diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
index 172055f..a1df55e 100644
--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
@@ -1,4 +1,5 @@
require "cases/helper"
+require 'models/author'
module ActiveRecord
module ConnectionAdapters
@@ -8,6 +9,12 @@ module ActiveRecord
@conn = ActiveRecord::Base.connection
end
+ def test_omg
+ string = 'ePoS\\'
+ Author.create!(:name => string)
+ assert_equal 1, Author.where("name ~* ? or name ~* ?", string, string).to_a.length
+ end
+
def test_type_cast_true
c = Column.new(nil, 1, 'boolean')
assert_equal 't', @conn.type_cast(true, nil) We should fix this by using prepared statements rather than string substitution for the question marks. |
Any movement on this? |
+1, I am also affected. I guess we'd adapt the postgresql adapter so it also escapes |
@tenderlove: do you know of a workaround for this? |
/ is a forward slash, and since when is / an escape character? |
@tenderlove do you know if this problem can be solved inside the postgres adapter or it should be fowarded to the pg gem? |
@tenderlove has there been any work towards producing prepared statements instead of string substitutions as you suggested? Or could/should this be fixed by modifying how things are escaped? |
This is notabug. We correctly escape the given string when passing it to PG. The problem is that the A less confusing / slash-based example would be As far as Rails is concerned, this is Just A String. Moreover, even if we knew it was being used as a regular expression, we couldn't apply the second level of escaping: given that you're setting out to use a regular expression operator, it doesn't seem unreasonable to assume you actually meant to write a regular expression. Consider the two possible interpretations of In this particular case, you can use the my_re = "^(matthewd?|#{search.gsub(/\W/, '\\\\\&')})" (or use See also: query = 'josh\\'
'bob' =~ /#{query}/ # => ArgumentError: too short escape sequence |
Thank you @matthewd for the detailed comment. I agree it is not a bug so I'm closing. Feel free to continue the discussion here if needed. |
This patch ensures that member emails are well regexp escaped before to be inserted in the `including_email` scope query. See rails/rails#4037 for more info.
Hey Guys,
Using the following code:
If the query is: josh/
it is outputted as 'josh/'
which escapes the ' and causes:
Thanks,
Josh
The text was updated successfully, but these errors were encountered: