DEV: Quote values when constructing SQL (#18827)

All of these cases should already be safe, but still good to quote for
"defense in depth".
This commit is contained in:
Daniel Waterworth
2022-11-01 14:05:13 -05:00
committed by GitHub
parent a356e2fe30
commit 167181f4b7
12 changed files with 39 additions and 37 deletions

View File

@ -58,7 +58,7 @@ task "poll:migrate_old_polls" => :environment do
options = post.custom_fields["polls"]["poll"]["options"]
# iterate over all votes
PluginStoreRow.where(plugin_name: "poll")
.where("key LIKE 'poll_vote_#{post_id}_%'")
.where("key LIKE ?", "poll_vote_#{post_id}_%")
.pluck(:key, :value)
.each do |poll_vote_key, vote|
# extract the user_id