class method
self.sql
Ruby on Rails 7.1.6
Since v6.0.6Signature
self.sql(sql_string, *positional_binds, **named_binds)Wrap a known-safe SQL string for passing to query methods, e.g.
Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)
Great caution should be taken to avoid SQL injection vulnerabilities. This method should not be used with unsafe values such as request parameters or model attributes.
Take a look at the security guide for more information.
To construct a more complex query fragment, including the possible use of user-provided values, the sql_string may contain ? and :key placeholders, corresponding to the additional arguments. Note that this behavior only applies when bind value parameters are supplied in the call; without them, the placeholder tokens have no special meaning, and will be passed through to the query as-is.
Parameters
-
sql_stringreq -
positional_bindsrest -
named_bindskeyrest
Source
# File activerecord/lib/arel.rb, line 48
def self.sql(sql_string, *positional_binds, **named_binds)
if positional_binds.empty? && named_binds.empty?
Arel::Nodes::SqlLiteral.new sql_string
else
Arel::Nodes::BoundSqlLiteral.new sql_string, positional_binds, named_binds
end
end
Defined in activerecord/lib/arel.rb line 48
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in Arel