plugging sql vulnerability in mysql2 adapter

tenderlove · tenderlove · commit 00fc49b9c247 · 2011-08-16T15:42:24.000-07:00
diff --git a/lib/active_record/connection_adapters/mysql2_adapter.rb b/lib/active_record/connection_adapters/mysql2_adapter.rb
@@ -157,7 +157,7 @@ def quote(value, column = nil)
       end
 
       def quote_column_name(name) #:nodoc:
-        @quoted_column_names[name] ||= "`#{name}`"
+        @quoted_column_names[name] ||= "`#{name.to_s.gsub('`', '``')}`"
       end
 
       def quote_table_name(name) #:nodoc:
