Revision b08ec33d
Added by Dominic Cleal over 8 years ago
app/models/concerns/hostext/search.rb | ||
---|---|---|
|
||
def search_cast_facts(key, operator, value)
|
||
{
|
||
:conditions => "fact_names.name = '#{key.split('.')[1]}' AND #{cast_facts(key,operator,value)}",
|
||
:conditions => "#{sanitize_sql_for_conditions(["fact_names.name = ?", key.split('.')[1]])} AND #{cast_facts(key,operator,value)}",
|
||
:include => :fact_names,
|
||
}
|
||
end
|
Also available in: Unified diff
fixes #12458 - escape values in fact searches to prevent SQL injection