@@ -51,15 +51,16 @@ def self.included(base)
5151
5252 def self . search_by_user ( key , operator , value )
5353 key_name = key . sub ( /^.*\. / , '' )
54- users = User . all ( :conditions => "#{ key_name } #{ operator } '#{ value_to_sql ( operator , value ) } '" )
54+ condition = sanitize_sql_for_conditions ( [ "? #{ operator } ?" , key_name , value_to_sql ( operator , value ) ] )
55+ users = User . all ( :conditions => condition )
5556 hosts = users . map ( &:hosts ) . flatten
56- opts = hosts . empty? ? "= 'nil' " : "IN (#{ hosts . map ( &:id ) . join ( ',' ) } )"
57+ opts = hosts . empty? ? "< 0 " : "IN (#{ hosts . map ( &:id ) . join ( ',' ) } )"
5758
5859 return { :conditions => " hosts.id #{ opts } " }
5960 end
6061
6162 def self . search_by_puppetclass ( key , operator , value )
62- conditions = "puppetclasses.name #{ operator } ' #{ value_to_sql ( operator , value ) } '"
63+ conditions = sanitize_sql_for_conditions ( [ "puppetclasses.name #{ operator } ?" , value_to_sql ( operator , value ) ] )
6364 hosts = Host . my_hosts . all ( :conditions => conditions , :joins => :puppetclasses , :select => 'DISTINCT hosts.id' ) . map ( &:id )
6465 host_groups = Hostgroup . all ( :conditions => conditions , :joins => :puppetclasses , :select => 'DISTINCT hostgroups.id' ) . map ( &:id )
6566
@@ -73,12 +74,14 @@ def self.search_by_puppetclass(key, operator, value)
7374
7475 def self . search_by_params ( key , operator , value )
7576 key_name = key . sub ( /^.*\. / , '' )
76- opts = { :conditions => "name = '#{ key_name } ' and value #{ operator } '#{ value_to_sql ( operator , value ) } '" , :order => :priority }
77+ condition = sanitize_sql_for_conditions ( [ "name = ? and value #{ operator } ?" , key_name , value_to_sql ( operator , value ) ] )
78+ opts = { :conditions => condition , :order => :priority }
7779 p = Parameter . all ( opts )
7880 return { :conditions => '1 = 0' } if p . blank?
7981
8082 max = p . first . priority
81- negate_opts = { :conditions => "name = '#{ key_name } ' and NOT(value #{ operator } '#{ value_to_sql ( operator , value ) } ') and priority > #{ max } " , :order => :priority }
83+ condition = sanitize_sql_for_conditions ( [ "name = ? and NOT(value #{ operator } ?) and priority > ?" , key_name , value_to_sql ( operator , value ) , max ] )
84+ negate_opts = { :conditions => condition , :order => :priority }
8285 n = Parameter . all ( negate_opts )
8386
8487 conditions = param_conditions ( p )
0 commit comments