Skip to content

Commit 03c244d

Browse files
just3wsjust3ws
committed
Repaired Badge SQL Injection vulnerability
1 parent 2a70939 commit 03c244d

File tree

2 files changed

+3
-3
lines changed

2 files changed

+3
-3
lines changed

app/models/badge.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,13 @@ class Badge < ActiveRecord::Base
3434
class << self
3535
def rename(old_class_name, new_class_name)
3636
Badge.where(badge_class_name: old_class_name).map { |badge| badge.update_attribute(:badge_class_name, new_class_name) }
37-
Fact.where("metadata LIKE '%#{old_class_name}%'").each do |fact|
37+
Fact.where('metadata LIKE ?', "%#{old_class_name}%").each do |fact|
3838
if fact.metadata[:award] == old_class_name
3939
fact.metadata[:award] = new_class_name
4040
end
4141
fact.save
4242
end
43-
ApiAccess.where("awards LIKE '%#{old_class_name}%'").each do |api_access|
43+
ApiAccess.where('awards LIKE ?', "%#{old_class_name}%").each do |api_access|
4444
if api_access.awards.delete(old_class_name)
4545
api_access.awards << new_class_name
4646
end

lib/tasks/protips.rake

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,5 +71,5 @@ namespace :protips do
7171
end
7272

7373
def slideshare_facts
74-
(Fact.where("tags LIKE '% slideshare%'")).uniq
74+
(Fact.where('tags LIKE ?', '% slideshare%')).uniq
7575
end

0 commit comments

Comments
 (0)