Fix SQL escaping and SQL injection

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb
index de38a07333d307a6773e98a32725da017e29c3b5..ebfcf74adbbf83488f50b4139d6cf481dccf4bff 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb
@@ -57,7 +57,7 @@ class EventCategory
     if errors.empty?
       from_categ=EventCategory.category(from)
       if from_categ
-        Event.update_all("category='#{name}'", "category='#{from_categ.name}'")
+        Event.update_all({:category => name}, "category='#{from_categ.name}'")
         from_categ.delete
       end
     end

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb
index 7b39feb96157cf484ae0e2822f378fc45943670d..a57d9129f5b1447793e2f7a540eab868621b34ac 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb
@@ -165,7 +165,7 @@ class Profile < ActiveRecord::Base
           child.parent_name=new_name
           child.save
         end
-        Property.update_all("text_value='#{new_name}'", ['prop_key=? and text_value=?', "sonar.profile.#{language}", old_name])
+        Property.update_all({:text_value => new_name}, ['prop_key=? and text_value=?', "sonar.profile.#{language}", old_name])
       end
     end
     self