github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-28 22:47:46 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Quote values when constructing SQL (#18827)

Browse Source 
All of these cases should already be safe, but still good to quote for
"defense in depth".
This commit is contained in:
Daniel Waterworth
2022-11-01 14:05:13 -05:00
committed by GitHub
parent a356e2fe30
commit 167181f4b7
12 changed files with 39 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/poll/lib/tasks/migrate_old_polls.rake
View File

@ -58,7 +58,7 @@ task "poll:migrate_old_polls" => :environment do
options = post.custom_fields["polls"]["poll"]["options"]
# iterate over all votes
PluginStoreRow.where(plugin_name: "poll")
.where("key LIKE 'poll_vote_#{post_id}_%'")
.where("key LIKE ?", "poll_vote_#{post_id}_%")
.pluck(:key, :value)
.each do |poll_vote_key, vote|
# extract the user_id