mirror of
https://github.com/discourse/discourse.git
synced 2025-05-28 22:47:46 +08:00
DEV: Quote values when constructing SQL (#18827)
All of these cases should already be safe, but still good to quote for "defense in depth".
This commit is contained in:

committed by
GitHub

parent
a356e2fe30
commit
167181f4b7
@ -58,7 +58,7 @@ task "poll:migrate_old_polls" => :environment do
|
||||
options = post.custom_fields["polls"]["poll"]["options"]
|
||||
# iterate over all votes
|
||||
PluginStoreRow.where(plugin_name: "poll")
|
||||
.where("key LIKE 'poll_vote_#{post_id}_%'")
|
||||
.where("key LIKE ?", "poll_vote_#{post_id}_%")
|
||||
.pluck(:key, :value)
|
||||
.each do |poll_vote_key, vote|
|
||||
# extract the user_id
|
||||
|
Reference in New Issue
Block a user