From 7160825d87c675663855d9b2dca8c28371803cb6 Mon Sep 17 00:00:00 2001
From: lukemelia <lukemelia@a4c988fc-2ded-0310-b66e-134b36920a42>
Date: Fri, 30 Jun 2006 01:32:29 +0000
Subject: [PATCH] A few minor changes to ensure that all calls to
 ActiveRecord::Base.find do not interpolate variables, preferring conditions
 for security. There were no holes that I noticed, but it's better to know you
 don't have to worry with a glance.

git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@272 a4c988fc-2ded-0310-b66e-134b36920a42
---
 tracks/app/controllers/application.rb | 4 ++--
 tracks/app/models/context.rb          | 4 ++--
 tracks/app/models/project.rb          | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tracks/app/controllers/application.rb b/tracks/app/controllers/application.rb
index 232abab0..36f938fe 100644
--- a/tracks/app/controllers/application.rb
+++ b/tracks/app/controllers/application.rb
@@ -29,9 +29,9 @@ class ApplicationController < ActionController::Base
    count = 0
    sub = 0
    hidden.each do |h|
-     sub = Todo.find_all("done=0 AND context_id=#{h.id}").length + sub
+     sub = Todo.find_all(["done = ? AND context_id= ?", false, h.id]).length + sub
    end
-   total = Todo.find_all("done=0").length - sub
+   total = Todo.find_all(["done = ?",false]).length - sub
   end
   
   # Reverses the urlize() method by substituting underscores for spaces
diff --git a/tracks/app/models/context.rb b/tracks/app/models/context.rb
index 7c5f11f4..2ecf936a 100644
--- a/tracks/app/models/context.rb
+++ b/tracks/app/models/context.rb
@@ -18,13 +18,13 @@ class Context < ActiveRecord::Base
   end
 
   def find_not_done_todos
-    todos = Todo.find :all, :conditions => ["todos.context_id = #{id} AND todos.done = ? AND type = ?", false, "Immediate"],
+    todos = Todo.find :all, :conditions => ["todos.context_id = ? AND todos.done = ? AND type = ?", id, false, "Immediate"],
                       :include => [:context, :project],
                       :order => "due IS NULL, due ASC, created_at ASC"
   end
 
   def find_done_todos
-    todos = Todo.find :all, :conditions => ["todos.context_id = #{id} AND todos.done = ? AND type = ?", true, "Immediate"],
+    todos = Todo.find :all, :conditions => ["todos.context_id = ? AND todos.done = ? AND type = ?", id, true, "Immediate"],
                       :include => [:context, :project],
                       :order => "completed DESC",
                       :limit => @user.preferences["no_completed"].to_i
diff --git a/tracks/app/models/project.rb b/tracks/app/models/project.rb
index 85c7e046..3c24bf5b 100644
--- a/tracks/app/models/project.rb
+++ b/tracks/app/models/project.rb
@@ -27,12 +27,12 @@ class Project < ActiveRecord::Base
   end
   
   def find_not_done_todos
-    todos = Todo.find :all, :conditions => ["project_id = #{id} AND done = ?", false],
+    todos = Todo.find :all, :conditions => ["project_id = ? AND done = ?", id, false],
                       :order => "due IS NULL, due ASC, created_at ASC"
   end
 
   def find_done_todos
-    todos = Todo.find :all, :conditions => ["project_id = #{id} AND done = ?", true],
+    todos = Todo.find :all, :conditions => ["project_id = ? AND done = ?", id, true],
                       :order => "completed DESC",
                       :limit => @user.preferences["no_completed"].to_i
   end