class method
self.sql
Ruby on Rails 8.1.2
Since v6.0.6Signature
self.sql(sql_string, *positional_binds, retryable: false, **named_binds)Wrap a known-safe SQL string for passing to query methods, e.g.
Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)
Great caution should be taken to avoid SQL injection vulnerabilities. This method should not be used with unsafe values such as request parameters or model attributes.
Take a look at the security guide for more information.
To construct a more complex query fragment, including the possible use of user-provided values, the sql_string may contain ? and :key placeholders, corresponding to the additional arguments. Note that this behavior only applies when bind value parameters are supplied in the call; without them, the placeholder tokens have no special meaning, and will be passed through to the query as-is.
The :retryable option can be used to mark the SQL as safe to retry. Use this option only if the SQL is idempotent, as it could be executed more than once.
Parameters
-
sql_stringreq -
positional_bindsrest -
retryablekey = false -
named_bindskeyrest
Source
# File activerecord/lib/arel.rb, line 52
def self.sql(sql_string, *positional_binds, retryable: false, **named_binds)
if Arel::Nodes::SqlLiteral === sql_string
sql_string
elsif positional_binds.empty? && named_binds.empty?
Arel::Nodes::SqlLiteral.new(sql_string, retryable: retryable)
else
Arel::Nodes::BoundSqlLiteral.new sql_string, positional_binds, named_binds
end
end
Defined in activerecord/lib/arel.rb line 52
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in Arel