Ticket #6542: sql_creation_injection_points.diff

base.rb

@@ -1461 +1461 @@
-          end
-        end
-
+        def create_scope_to_object(object) #:nodoc:
+          scope(:create).each { |att,value| object.send("#{att}=", value) } if scoped?(:create)
+        end
+
-        def thread_safe_scoped_methods #:nodoc:
-          scoped_methods = (Thread.current[:scoped_methods] ||= {})
-          scoped_methods[self] ||= []
@@ -1653 +1657 @@
-        @new_record = true
-        ensure_proper_type
-        self.attributes = attributes unless attributes.nil?
-scope, :create).each { |att,value| self.send("#{att}=", value) } if self.class.send(:scoped?, :create
+create_scope_to_object, self
-        result = yield self if block_given?
-        callback(:after_initialize) if respond_to_without_attributes?(:after_initialize)
-        result
@@ -1711 +1715 @@
-      # be made (since they can't be persisted).
-      def destroy
-        unless new_record?
-
-
-
-
+
-        end
-
-        freeze
-      end
-
+      def sql_for_destroy #:nodoc:
+        "DELETE FROM #{self.class.table_name} #{sql_for_destroy_conditions}"
+      end
+
+      def sql_for_destroy_conditions #:nodoc:
+        "WHERE #{self.class.primary_key} = #{quoted_id}"
+      end
+
-      # Returns a clone of the record that hasn't been assigned an id yet and
-      # is treated as a new record.  Note that this is a "shallow" clone:
-      # it copies the object's attributes only, not its associations.
@@ -1951 +1960 @@
-      # Updates the associated record with values matching those of the instance attributes.
-      # Returns the number of affected rows.
-      def update
-
-
-
-
-
-
+
-      end
-
+      def sql_for_update #:nodoc:
+        "UPDATE #{self.class.table_name} #{sql_for_update_values} #{sql_for_update_conditions}"
+      end
+
+      def sql_for_update_values #:nodoc:
+        "SET #{quoted_comma_pair_list(connection, attributes_for_update)}"
+      end
+
+      def attributes_for_update #:nodoc:
+        attributes_with_quotes(false)
+      end
+
+      def sql_for_update_conditions #:nodoc:
+        "WHERE #{self.class.primary_key} = #{quote_value(id)}"
+      end
+
-      # Creates a record with values matching those of the instance attributes
-      # and returns its id.
-      def create
@@ -1966 +1986 @@
-          self.id = connection.next_sequence_value(self.class.sequence_name)
-        end
-
-
-
-
-
-
+
-          self.class.primary_key, self.id, self.class.sequence_name
-        )
-
@@ -1978 +1994 @@
-        id
-      end
-
+      def sql_for_create #:nodoc:
+        "INSERT INTO #{self.class.table_name} " + 
+        "(#{columns_for_create.join(', ')}) " +
+        "VALUES(#{attributes_for_create.values.join(', ')})"
+      end
+
-      # Sets the attribute used for single table inheritance to this class name if this is not the ActiveRecord descendent.
-      # Considering the hierarchy Reply < Message < ActiveRecord, this makes it possible to do Reply.new without having to
-      # set Reply[Reply.inheritance_column] = "Reply" yourself. No such attribute would be set for objects of the
@@ -2117 +2139 @@
-        end
-      end
-
+      alias_method :columns_for_create,    :quoted_column_names
+      alias_method :attributes_for_create, :attributes_with_quotes
+
-      def quote_columns(quoter, hash)
-        hash.inject({}) do |quoted, (name, value)|
-          quoted[quoter.quote_column_name(name)] = value