github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 20:33:38 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Ensure we escape variables passed into our SQL query.

Browse Source
This commit is contained in:
Guo Xiang Tan 2017-03-08 20:37:29 +08:00
parent 3c41cb6b7d
commit 10ec554d97
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/search.rb
View File

@ -308,9 +308,9 @@ class Search
level = TopicUser.notification_levels[match.to_sym] level = TopicUser.notification_levels[match.to_sym]
posts.where("posts.topic_id IN ( posts.where("posts.topic_id IN (
SELECT tu.topic_id FROM topic_users tu SELECT tu.topic_id FROM topic_users tu
WHERE tu.user_id = #{@guardian.user.id} AND WHERE tu.user_id = :user_id AND
tu.notification_level >= #{level} tu.notification_level >= :level
)") )", user_id: @guardian.user.id, level: level)
end end
end end