vendor/rails/activerecord/lib/active_record/connection_adapters/abstract/quoting.rb

   1 module ActiveRecord
   2   module ConnectionAdapters # :nodoc:
   3     module Quoting
   4       # Quotes the column value to help prevent
   5       # {SQL injection attacks}[http://en.wikipedia.org/wiki/SQL_injection].
   6       def quote(value, column = nil)
   7         # records are quoted as their primary key
   8         return value.quoted_id if value.respond_to?(:quoted_id)
   9
  10         case value
  11           when String, ActiveSupport::Multibyte::Chars
  12             value = value.to_s
  13             if column && column.type == :binary && column.class.respond_to?(:string_to_binary)
  14               "#{quoted_string_prefix}'#{quote_string(column.class.string_to_binary(value))}'" # ' (for ruby-mode)
  15             elsif column && [:integer, :float].include?(column.type)
  16               value = column.type == :integer ? value.to_i : value.to_f
  17               value.to_s
  18             else
  19               "#{quoted_string_prefix}'#{quote_string(value)}'" # ' (for ruby-mode)
  20             end
  21           when NilClass                 then "NULL"
  22           when TrueClass                then (column && column.type == :integer ? '1' : quoted_true)
  23           when FalseClass               then (column && column.type == :integer ? '0' : quoted_false)
  24           when Float, Fixnum, Bignum    then value.to_s
  25           # BigDecimals need to be output in a non-normalized form and quoted.
  26           when BigDecimal               then value.to_s('F')
  27           else
  28             if value.acts_like?(:date) || value.acts_like?(:time)
  29               "'#{quoted_date(value)}'"
  30             else
  31               "#{quoted_string_prefix}'#{quote_string(value.to_yaml)}'"
  32             end
  33         end
  34       end
  35
  36       # Quotes a string, escaping any ' (single quote) and \ (backslash)
  37       # characters.
  38       def quote_string(s)
  39         s.gsub(/\\/, '\&\&').gsub(/'/, "''") # ' (for ruby-mode)
  40       end
  41
  42       # Quotes the column name. Defaults to no quoting.
  43       def quote_column_name(column_name)
  44         column_name
  45       end
  46
  47       # Quotes the table name. Defaults to column name quoting.
  48       def quote_table_name(table_name)
  49         quote_column_name(table_name)
  50       end
  51
  52       def quoted_true
  53         "'t'"
  54       end
  55
  56       def quoted_false
  57         "'f'"
  58       end
  59
  60       def quoted_date(value)
  61         value.to_s(:db)
  62       end
  63
  64       def quoted_string_prefix
  65         ''
  66       end
  67     end
  68   end
  69 end