Revision b08ec33d
Added by Dominic Cleal over 8 years ago
app/models/concerns/scoped_search_extensions.rb | ||
---|---|---|
elsif (is_int && is_pg && operator !~ /LIKE/i)
|
||
casted = "fact_values.value ~ E'^\\\\d+$' AND CAST(fact_values.value AS DECIMAL) #{operator} #{value}"
|
||
else
|
||
casted = "fact_values.value #{operator} '#{value}'"
|
||
casted = sanitize_sql_for_conditions(["fact_values.value #{operator} ?", value])
|
||
end
|
||
casted
|
||
end
|
Also available in: Unified diff
fixes #12458 - escape values in fact searches to prevent SQL injection