drasch/fix_sql_injection.rb

## fix_sql_injection.rb
# Monkey patch for CVE-2012-2695 on Rails 2.3.14
# put this file in your config/initializers directory
# comments/corrections: https://gist.github.com/2921706
#
# minor modification for rails 2.2 by DCR

# Ruby on Rails SQL Injection
# based on a patch from @presidentbeef
# https://rubyonrails-security.googlegroups.com/attach/aee3413fb038bf56/2-3-sql-injection.patch?view=1&part=3

module ActiveRecord
  class Base
    class << self # Class methods
      protected
        def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
          attrs = expand_hash_conditions_for_aggregates(attrs)

          conditions = attrs.map do |attr, value|
            table_name = default_table_name

            if not value.is_a?(Hash)
              attr = attr.to_s

              # Extract table name from qualified attribute names.
              if attr.include?('.') and top_level
                attr_table_name, attr = attr.split('.', 2)
                attr_table_name = connection.quote_table_name(attr_table_name)
              else
                attr_table_name = table_name
              end

              #attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
              "#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}" #DCR
            elsif top_level
              sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
            else
              raise ActiveRecord::StatementInvalid
            end
          end.join(' AND ')

          replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
        end
        alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
    end
  end
end

raise "please review for different rails version" if Rails.version != "2.2.3"
	# Monkey patch for CVE-2012-2695 on Rails 2.3.14
	# put this file in your config/initializers directory
	# comments/corrections: https://gist.github.com/2921706
	#
	# minor modification for rails 2.2 by DCR

	# Ruby on Rails SQL Injection
	# based on a patch from @presidentbeef
	# https://rubyonrails-security.googlegroups.com/attach/aee3413fb038bf56/2-3-sql-injection.patch?view=1&part=3

	module ActiveRecord
	class Base
	class << self # Class methods
	protected
	def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
	attrs = expand_hash_conditions_for_aggregates(attrs)

	conditions = attrs.map do \|attr, value\|
	table_name = default_table_name

	if not value.is_a?(Hash)
	attr = attr.to_s

	# Extract table name from qualified attribute names.
	if attr.include?('.') and top_level
	attr_table_name, attr = attr.split('.', 2)
	attr_table_name = connection.quote_table_name(attr_table_name)
	else
	attr_table_name = table_name
	end

	#attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
	"#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}" #DCR
	elsif top_level
	sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
	else
	raise ActiveRecord::StatementInvalid
	end
	end.join(' AND ')

	replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
	end
	alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions
	end
	end
	end

	raise "please review for different rails version" if Rails.version != "2.2.3"