A few minor changes to ensure that all calls to ActiveRecord::Base.find do not interpolate variables, preferring conditions for security. There were no holes that I noticed, but it's better to know you don't have to worry with a glance.

git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@272 a4c988fc-2ded-0310-b66e-134b36920a42
2026-02-03 14:31:47 +01:00 · 2006-06-30 01:32:29 +00:00 · 2006-06-30 01:32:29 +00:00 · 7160825d87
commit 7160825d87
parent 654409439f
3 changed files with 6 additions and 6 deletions
--- a/tracks/app/controllers/application.rb
+++ b/tracks/app/controllers/application.rb
@ -29,9 +29,9 @@ class ApplicationController < ActionController::Base
   count = 0
   sub = 0
   hidden.each do |h|
-     sub = Todo.find_all("done=0 AND context_id=#{h.id}").length + sub
+     sub = Todo.find_all(["done = ? AND context_id= ?", false, h.id]).length + sub
   end
-   total = Todo.find_all("done=0").length - sub
+   total = Todo.find_all(["done = ?",false]).length - sub
  end
  
  # Reverses the urlize() method by substituting underscores for spaces
--- a/tracks/app/models/context.rb
+++ b/tracks/app/models/context.rb
@ -18,13 +18,13 @@ class Context < ActiveRecord::Base
  end

  def find_not_done_todos
-    todos = Todo.find :all, :conditions => ["todos.context_id = #{id} AND todos.done = ? AND type = ?", false, "Immediate"],
+    todos = Todo.find :all, :conditions => ["todos.context_id = ? AND todos.done = ? AND type = ?", id, false, "Immediate"],
                      :include => [:context, :project],
                      :order => "due IS NULL, due ASC, created_at ASC"
  end

  def find_done_todos
-    todos = Todo.find :all, :conditions => ["todos.context_id = #{id} AND todos.done = ? AND type = ?", true, "Immediate"],
+    todos = Todo.find :all, :conditions => ["todos.context_id = ? AND todos.done = ? AND type = ?", id, true, "Immediate"],
                      :include => [:context, :project],
                      :order => "completed DESC",
                      :limit => @user.preferences["no_completed"].to_i
--- a/tracks/app/models/project.rb
+++ b/tracks/app/models/project.rb
@ -27,12 +27,12 @@ class Project < ActiveRecord::Base
  end
  
  def find_not_done_todos
-    todos = Todo.find :all, :conditions => ["project_id = #{id} AND done = ?", false],
+    todos = Todo.find :all, :conditions => ["project_id = ? AND done = ?", id, false],
                      :order => "due IS NULL, due ASC, created_at ASC"
  end

  def find_done_todos
-    todos = Todo.find :all, :conditions => ["project_id = #{id} AND done = ?", true],
+    todos = Todo.find :all, :conditions => ["project_id = ? AND done = ?", id, true],
                      :order => "completed DESC",
                      :limit => @user.preferences["no_completed"].to_i
  end