Permalink
Browse files

validate sort_clause to prevent sql injection

  • Loading branch information...
1 parent a06e09e commit 653270667e6da90de340e40d2b6d099823edf03e @twalpole committed Jul 18, 2009
Showing with 2 additions and 1 deletion.
  1. +2 −1 lib/ujs_sort_helper.rb
View
@@ -84,7 +84,8 @@ def sort_update()
# Use this to sort the controller's table items collection.
#
def sort_clause()
- session[@sort_name][:key] + ' ' + session[@sort_name][:order]
+ result = session[@sort_name][:key] + ' ' + session[@sort_name][:order]
+ result if result =~ /^[\w_]+ (asc|desc)$/i # Validate sort.
end
# Returns a link which sorts by the named column.

0 comments on commit 6532706

Please sign in to comment.