From 10ec554d9733b8539984e37a228c40c72c5d8a8b Mon Sep 17 00:00:00 2001
From: Guo Xiang Tan <tgx_world@hotmail.com>
Date: Wed, 8 Mar 2017 20:37:29 +0800
Subject: [PATCH] Ensure we escape variables passed into our SQL query.

---
 lib/search.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/search.rb b/lib/search.rb
index 187272e76a1..ef306765709 100644
--- a/lib/search.rb
+++ b/lib/search.rb
@@ -308,9 +308,9 @@ class Search
       level = TopicUser.notification_levels[match.to_sym]
       posts.where("posts.topic_id IN (
                     SELECT tu.topic_id FROM topic_users tu
-                    WHERE tu.user_id = #{@guardian.user.id} AND
-                          tu.notification_level >= #{level}
-                   )")
+                    WHERE tu.user_id = :user_id AND
+                          tu.notification_level >= :level
+                   )", user_id: @guardian.user.id, level: level)
 
     end
   end