fix possible sql injection vulnerability

lynndylanhurley · lynndylanhurley · commit b1aad9322726 · 2015-01-09T13:10:34.000-06:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -31,7 +31,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise_token_auth (0.1.31.beta8)
+    devise_token_auth (0.1.31.beta9)
       devise (~> 3.3)
       rails (~> 4.2)
 
diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb
@@ -27,14 +27,14 @@ def create
         email = resource_params[:email]
       end
 
-      q = "uid='#{email}' AND provider='email'"
+      q = "uid = ? AND provider='email'"
 
       # fix for mysql default case insensitivity
       if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-        q = "BINARY uid='#{email}' AND provider='email'"
+        q = "BINARY uid = ? AND provider='email'"
       end
 
-      @resource = resource_class.where(q).first
+      @resource = resource_class.where(q, email).first
 
       errors = nil
 
diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb
@@ -11,13 +11,13 @@ def create
         email = resource_params[:email]
       end
 
-      q = "uid='#{email}' AND provider='email'"
+      q = "uid = ? AND provider='email'"
 
       if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-        q = "BINARY uid='#{email}' AND provider='email'"
+        q = "BINARY uid = ? AND provider='email'"
       end
 
-      @resource = resource_class.where(q).first
+      @resource = resource_class.where(q, email).first
 
       if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
         # create client id
diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb
@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.31.beta8"
+  VERSION = "0.1.31.beta9"
 end
