Changed update_record to use prepared statements.

a53935df · Noemj · 5f30b547 · a53935df · a53935df
隐藏空白更改
内联并排

Showing with 26 addition and 3 deletion

activerecord/lib/active_record/persistence.rb activerecord/lib/active_record/persistence.rb +12 -3

activerecord/test/cases/adapter_test.rb activerecord/test/cases/adapter_test.rb +14 -0

未找到文件。
--- a/activerecord/lib/active_record/persistence.rb
+++ b/activerecord/lib/active_record/persistence.rb
@@ -418,13 +418,22 @@ def create_or_update
    # Returns the number of affected rows.
    def update_record(attribute_names = @attributes.keys)
      attributes_with_values = arel_attributes_with_values_for_update(attribute_names)
-
      if attributes_with_values.empty?
        0
      else
        klass = self.class
-        stmt = klass.unscoped.where(klass.arel_table[klass.primary_key].eq(id)).arel.compile_update(attributes_with_values)
-        klass.connection.update stmt
+        column_hash = klass.connection.schema_cache.columns_hash klass.table_name
+        db_columns_with_values = attributes_with_values.map { |attr,value|
+          real_column = column_hash[attr.name]
+          [real_column, value]
+        }
+        bind_attrs = attributes_with_values.dup
+        bind_attrs.keys.each_with_index do |column, i|
+          real_column = db_columns_with_values[i].first
+          bind_attrs[column] = klass.connection.substitute_at(real_column, i)
+        end
+        stmt = klass.unscoped.where(klass.arel_table[klass.primary_key].eq(id)).arel.compile_update(bind_attrs)
+        klass.connection.update stmt, 'SQL', db_columns_with_values
      end
    end


--- a/activerecord/test/cases/adapter_test.rb
+++ b/activerecord/test/cases/adapter_test.rb
 require "cases/helper"
+require "models/book"

 module ActiveRecord
  class AdapterTest < ActiveRecord::TestCase
@@ -6,6 +7,19 @@ def setup
      @connection = ActiveRecord::Base.connection
    end

+    ##
+    # PostgreSQL does not support null bytes in strings
+    unless current_adapter?(:PostgreSQLAdapter)
+      def test_update_prepared_statement
+        b = Book.create(name: "my \x00 book")
+        b.reload
+        assert_equal "my \x00 book", b.name
+        b.update_attributes(name: "my other \x00 book")
+        b.reload
+        assert_equal "my other \x00 book", b.name
+      end
+    end
+
    def test_tables
      tables = @connection.tables
      assert tables.include?("accounts")