Bug #1729
Migration SQL syntax error , quotes in name.
Description
Running
su - foreman -s /bin/bash -c /usr/share/foreman/extras/dbmigrate
from foreman-1.0.0-0.4.el6.noarch on SL6.
-- About to review all audits, this may take a while... rake aborted! An error has occurred, all later migrations canceled: Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right synt ax to use near 'jveldik' van Eldik' WHERE id = 410' at line 1: UPDATE audits SET auditable_name = 'administrator' , username = 'Jan 'jveldik' van Eldik' WHERE id = 410
This is with the perhaps daft input where someone has set thier first name to "Jan 'jveldik'" with single quotes in.
mysql> select login,firstname from users where login = 'jveldik'; +---------+---------------+ | login | firstname | +---------+---------------+ | jveldik | Jan 'jveldik' | +---------+---------------+ 1 row in set (0.01 sec)
For now I'll remove the ''s of course in the first database.
Associated revisions
History
#1
Updated by Ohad Levy over 10 years ago
Updated by - Assignee set to Amos Benari
- Target version set to 1.0
Amos, do you mind having a look? it seems like we can simply use http://apidock.com/rails/v3.2.1/ActiveRecord/Sanitization/ClassMethods/sanitize_sql_array
#2
Updated by Amos Benari over 10 years ago
Updated by - Status changed from New to Closed
- % Done changed from 0 to 100
Applied in changeset b304788d433a4d6fa1c049675d0113d80cc45373.
fixes #1729 safer migration code.