Ensure we escape variables passed into our SQL query.

2024-11-26 17:53:44 +08:00 · 2017-03-08 20:37:29 +08:00 · 2017-03-08 20:37:29 +08:00 · 10ec554d97
commit 10ec554d97
parent 3c41cb6b7d
1 changed files with 3 additions and 3 deletions
--- a/lib/search.rb
+++ b/lib/search.rb
@ -308,9 +308,9 @@ class Search
      level = TopicUser.notification_levels[match.to_sym]
      posts.where("posts.topic_id IN (
                    SELECT tu.topic_id FROM topic_users tu
-                    WHERE tu.user_id = #{@guardian.user.id} AND
-                          tu.notification_level >= #{level}
-                   )")
+                    WHERE tu.user_id = :user_id AND
+                          tu.notification_level >= :level
+                   )", user_id: @guardian.user.id, level: level)

    end
  end