validates_uniqueness_of does not escape column names
Reported by Aaron Patterson | July 9th, 2008 @ 04:45 AM | in 2.x
validates_uniqueness_of does not escape column names before querying the database.
I've attached a patch that fixes the problem, and includes a test to reproduce the problem.
Comments and changes to this ticket
-
Pratik July 14th, 2008 @ 01:39 AM
- → Assigned user changed from “” to “Pratik”
I'm getting many tests failures after applying the patch.
-
Pratik July 14th, 2008 @ 01:28 PM
- → State changed from “new” to “incomplete”
-
-
Aaron Patterson July 14th, 2008 @ 03:22 PM
@Alex, no. That is escaping table names. Column names need to be escaped too.
-
Alex MacCaw July 14th, 2008 @ 03:32 PM
I'm pretty sure my patch was quoting column names too :)
The difference between my patch and yours, is that you're quoting the column names in the sql conditions. Perhaps you could update this ticket to make that clear?
-
Murray Steele July 22nd, 2008 @ 12:33 PM
I've a patch for this in my github fork:
http://github.com/h-lame/rails/c...
It's not as nice as Aaron's patch in that it doesn't have a test, but I'm pretty sure that test_validate_uniqueness_with_columns_which_are_sql_keywords (added by Alex's patch in [#23]) in validations_test already covers this (it's a break in that test that turned me on to this). Also, my patch applies the fix to activemodel too, which might be nice.
-
Ryan Alyea October 25th, 2008 @ 11:20 PM
Why hasn't this been patched yet? This causes problems with MySQL 4.x. I have to manually patch for each Rails update.
-
Murray Steele October 26th, 2008 @ 12:23 PM
Actually, it looks like the bug described here has been fixed, just not with anything from this ticket.
This is the commit that does it: http://github.com/rails/rails/co...
This ticket could probably be closed as fixed or duplicate if there's a ticket attached to the above commit (I couldn't find one if there is though.)
Please Login or create a free account to add a new comment.
You can update this ticket by sending an email to from your email client. (help)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
The Git repository resides at http://github.com/rails
Check out the current development trunk (Edge Rails) with:
git clone git://github.com/rails/rails.git
Creating or reviewing a patch
See the contributor guide.
Creating a feature request
Please don't. If you want a new feature in Rails, you'll have to pull up your sleeves and get busy yourself. Or convince someone else to do it. See the contributor guide on how to get going. But posting them here is just going to lead to ticket root.
Creating a bug report
When creating a bug report, be sure to include as much relevant information as possible. Post the code sample that causes the problem. Preferably, alter the unit tests and show through either changed or added tests how the expected behavior is not occuring.
Security vulnerabilities should be reported via an email to security@rubyonrails.org, do not use trac for reporting security vulnerabilities. All content in trac is publicly available as soon as it is posted.
Then don't get your hopes up. Unless you have a "Code Red, Mission Critical, The World is Coming to an End" kinda bug, you're creating this ticket in the hope that others with the same problem will be able to collaborate with you on solving it. Do not expect that the ticket automatically will see any activity or that others will jump to fix it. Creating a ticket like this is mostly to help yourself start on the path of fixing the problem and for others to sign on to with a "I'm having this problem too".
Mark Holton