Made relevant changes

MarkUsProject · Jul 21, 2023 · 37b9e7f · 37b9e7f
1 parent 16e5aa6
commit 37b9e7f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/app/controllers/annotation_categories_controller.rb b/app/controllers/annotation_categories_controller.rb
@@ -151,8 +151,11 @@ def find_annotation_text
                                      annotation_category_id: nil
                                    )
 
-    annotation_texts = texts_for_current_assignment.where('lower(content) LIKE ?', "#{string.downcase}%").limit(10) |
-                       one_time_texts.where('lower(content) LIKE ?', "#{string.downcase}%").limit(10)
+    annotation_texts = texts_for_current_assignment
+                       .where('lower(content) LIKE ?', "#{ApplicationRecord.sanitize_sql_like(string.downcase)}%")
+                       .limit(10) |
+                       one_time_texts.where('lower(content) LIKE ?',
+                                            "#{ApplicationRecord.sanitize_sql_like(string.downcase)}%").limit(10)
     render json: annotation_texts
   end
 

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
@@ -169,10 +169,10 @@ def get_names
                                    lower(last_name) like ? OR
                                    lower(user_name) like ? OR
                                    id_number like ?) AND roles.id NOT IN (?)',
-                                 "#{params[:term].downcase}%",
-                                 "#{params[:term].downcase}%",
-                                 "#{params[:term].downcase}%",
-                                 "#{params[:term]}%",
+                                 "#{ApplicationRecord.sanitize_sql_like(params[:term].downcase)}%",
+                                 "#{ApplicationRecord.sanitize_sql_like(params[:term].downcase)}%",
+                                 "#{ApplicationRecord.sanitize_sql_like(params[:term].downcase)}%",
+                                 "#{ApplicationRecord.sanitize_sql_like(params[:term])}%",
                                  Membership.select(:role_id)
                                            .joins(:grouping)
                                            .where(groupings: { assessment_id: params[:assignment_id] }))
@@ -200,7 +200,8 @@ def assign_student_and_next
       if student.nil? || "#{student.first_name} #{student.last_name}" != params[:names]
         student = current_course.students.joins(:user).where(
           'lower(CONCAT(first_name, \' \', last_name)) like ? OR lower(CONCAT(last_name, \' \', first_name)) like ?',
-          params[:names].downcase, params[:names].downcase
+          ApplicationRecord.sanitize_sql_like(params[:names].downcase),
+          ApplicationRecord.sanitize_sql_like(params[:names].downcase)
         ).first
       end
       if student.nil?