Test for multiline resolution

test/apps/rails2/app/controllers/home_controller.rb

@@ -116,6 +116,13 @@ class HomeController < ApplicationController
     User.find_or_create_by_name(params[:name], :code => (params[:x] + "code"))
   end
 
+  def test_user_input_on_multiline
+    User.find_by_sql "select * from users where something = 'something safe' AND " + 
+      "something_not_safe = #{params[:unsafe]} AND " + 
+      "something_else_that_is_safe = 'something else safe'"
+    SQL
+  end
+
   private
 
   def filter_it

test/tests/test_rails2.rb

@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
         :controller => 1,
         :model => 2,
         :template => 27,
-        :warning => 25 }
+        :warning => 26 }
     else
       @expected ||= {
         :controller => 1,
         :model => 2,
         :template => 27,
-        :warning => 26 }
+        :warning => 27 }
     end
   end
 
@@ -237,6 +237,17 @@ class Rails2Tests < Test::Unit::TestCase
       :file => /home_controller\.rb/
   end
 
+  # ensure that the warning is generated for the line which contains the input, not
+  # the line of the beginning of the string
+  def test_sql_user_input_multiline
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 121,
+      :message => /^Possible SQL injection near line 121: User.find_by_sql/,
+      :confidence => 0,
+      :file => /home_controller\.rb/
+  end  
+
   def test_csrf_protection
     assert_warning :type => :controller,
       :warning_type => "Cross-Site Request Forgery",