Fix SQL escaping and SQL injection

2 files changed, 2 insertions, 2 deletions

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb
index de38a07333d..ebfcf74adbb 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/models/event_category.rb
@@ -57,7 +57,7 @@ class EventCategory
     if errors.empty?
       from_categ=EventCategory.category(from)
       if from_categ
-        Event.update_all("category='#{name}'", "category='#{from_categ.name}'")
+        Event.update_all({:category => name}, "category='#{from_categ.name}'")
         from_categ.delete
       end
     end
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb b/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb
index 7b39feb9615..a57d9129f5b 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/models/profile.rb
@@ -165,7 +165,7 @@ class Profile < ActiveRecord::Base
           child.parent_name=new_name
           child.save
         end
-        Property.update_all("text_value='#{new_name}'", ['prop_key=? and text_value=?', "sonar.profile.#{language}", old_name])
+        Property.update_all({:text_value => new_name}, ['prop_key=? and text_value=?', "sonar.profile.#{language}", old_name])
       end
     end
     self