Open cgorringe opened 12 years ago
I remember that one on xkcd!
I haven't tested if an SQL injection would work, though I'm somewhat surprised it isn't using parameterized queries... (unless it is)
If I had my BACE dev machine with me right now I'd fix this...
-Carl
On Wed, 2012-05-02 at 18:32 -0700, Mike Travers wrote:
Reply to this email directly or view it on GitHub: https://github.com/bace/oscurrency/issues/23#issuecomment-5476653
Looks like the bug is in the "texticle" gem. It's been fixed in a newer version of the gem, but the version available depends on a newer version of activerecord (if I remember correctly) which may be hard to upgrade? Maybe someone can figure this out.
Which means you're out of luck if searching for a person with an Irish last name...
Request:
A ActiveRecord::StatementInvalid occurred in searches#index:
PGError: ERROR: syntax error in tsquery: "'pam' & 'O'dea'" : SELECT people.*, ts_rank_cd((to_tsvector('english', coalesce("people"."name", '') || ' ' || coalesce("people"."description", ''))), to_tsquery('''pam'' & ''O''dea''')) as rank FROM "people" WHERE (to_tsvector('english', coalesce("people"."name", '') || ' ' || coalesce("people"."description", '')) @@ to_tsquery('''pam'' & ''O''dea''')) ORDER BY rank DESC [RAILS_ROOT]/.bundle/gems/ruby/1.8/gems/activerecord-2.3.11/lib/active_record/connection_adapters/abstract_adapter.rb:227:in `log'