instance method
sanitize_sql_array
Ruby on Rails 7.1.6
Since v3.2.22.5Signature
sanitize_sql_array(ary)Accepts an array of conditions. The array has each value sanitized and interpolated into the SQL statement. If using named bind variables in SQL statements where a colon is required verbatim use a backslash to escape.
sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4]) # => "name='foo''bar' and group_id=4" sanitize_sql_array(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4]) # => "name='foo''bar' and group_id=4" sanitize_sql_array(["TO_TIMESTAMP(:date, 'YYYY/MM/DD HH12\\:MI\\:SS')", date: "foo"]) # => "TO_TIMESTAMP('foo', 'YYYY/MM/DD HH12:MI:SS')" sanitize_sql_array(["name='%s' and group_id='%s'", "foo'bar", 4]) # => "name='foo''bar' and group_id='4'"
Note that this sanitization method is not schema-aware, hence won’t do any type casting and will directly use the database adapter’s quote method. For MySQL specifically this means that numeric parameters will be quoted as strings to prevent query manipulation attacks.
sanitize_sql_array(["role = ?", 0]) # => "role = '0'"
Parameters
-
aryreq
Source
# File activerecord/lib/active_record/sanitization.rb, line 163
def sanitize_sql_array(ary)
statement, *values = ary
if values.first.is_a?(Hash) && /:\w+/.match?(statement)
replace_named_bind_variables(statement, values.first)
elsif statement.include?("?")
replace_bind_variables(statement, values)
elsif statement.blank?
statement
else
statement % values.collect { |value| connection.quote_string(value.to_s) }
end
end
Defined in activerecord/lib/active_record/sanitization.rb line 163
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in ActiveRecord::Sanitization::ClassMethods