/app/models/concerns/scoped_search_extensions.rb - Diff - Foreman

« Previous | Next »

Revision b08ec33d

Added by Dominic Cleal over 8 years ago

ID b08ec33dbb1e12db65bc0bde755e657a940531c1
Parent 6f8775fb
Child fedf3791

fixes #12458 - escape values in fact searches to prevent SQL injection

           elsif (is_int && is_pg && operator !~ /LIKE/i)
             casted = "fact_values.value ~ E'^\\\\d+$' AND CAST(fact_values.value AS DECIMAL) #{operator} #{value}"
           else
             casted = "fact_values.value #{operator} '#{value}'"
             casted = sanitize_sql_for_conditions(["fact_values.value #{operator} ?", value])
           end
           casted
         end

Also available in: Unified diff