#580 validates_uniqueness_of does not escape column names - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#580 ✓resolved

validates_uniqueness_of does not escape column names

Reported by Aaron Patterson | July 9th, 2008 @ 04:45 AM | in 2.x

validates_uniqueness_of does not escape column names before querying the database.

I've attached a patch that fixes the problem, and includes a test to reproduce the problem.

escape_column_names.patch 3.8 KB

Comments and changes to this ticket

Pratik July 14th, 2008 @ 01:39 AM
- Assigned user set to “Pratik”
I'm getting many tests failures after applying the patch.
Pratik July 14th, 2008 @ 01:28 PM
- State changed from “new” to “incomplete”
You flagged this item as spam.
Alex MacCaw July 14th, 2008 @ 01:53 PM
Wasn't this solved a while ago?
http://rails.lighthouseapp.com/p...
Aaron Patterson July 14th, 2008 @ 03:22 PM
@Alex, no. That is escaping table names. Column names need to be escaped too.
You flagged this item as spam.
Alex MacCaw July 14th, 2008 @ 03:32 PM
I'm pretty sure my patch was quoting column names too :)
The difference between my patch and yours, is that you're quoting the column names in the sql conditions. Perhaps you could update this ticket to make that clear?
You flagged this item as spam.
Murray Steele July 22nd, 2008 @ 12:33 PM
I've a patch for this in my github fork:
http://github.com/h-lame/rails/c...
It's not as nice as Aaron's patch in that it doesn't have a test, but I'm pretty sure that test_validate_uniqueness_with_columns_which_are_sql_keywords (added by Alex's patch in [#23]) in validations_test already covers this (it's a break in that test that turned me on to this). Also, my patch applies the fix to activemodel too, which might be nice.
- Quote-column-names-during-uniqueness-validation.patch 4.9 KB
You flagged this item as spam.
Ryan Alyea October 25th, 2008 @ 11:20 PM
Why hasn't this been patched yet? This causes problems with MySQL 4.x. I have to manually patch for each Rails update.
You flagged this item as spam.
Murray Steele October 26th, 2008 @ 12:23 PM
Actually, it looks like the bug described here has been fixed, just not with anything from this ticket.

This is the commit that does it: http://github.com/rails/rails/co...

This ticket could probably be closed as fixed or duplicate if there's a ticket attached to the above commit (I couldn't find one if there is though.)
Frederick Cheung December 20th, 2008 @ 03:52 PM
- State changed from “incomplete” to “resolved”
Good call Murray!