Menu
I am doing manual join and I need to pass a parameter to its ON clause:
Foo.joins("LEFT OUTER JOIN bars ON foos.id = bars.foo_id AND bars.baz = #{baz}")
Is there a way to pass baz as a parameter, to avoid potential injection problems? There is a method sanitize_sql_array, but I'm not sure how to make use of it in this case.
Note: I can't use where because it's not the same.
713
With sanitize_sql_array, that would be:
# Warning: sanitize_sql_array is a protected method, be aware of that to properly use it in your code
ar = ["LEFT OUTER JOIN bars ON foos.id = bars.foo_id AND bars.baz = %s", baz]
# Within foo model:
sanitized_sql = sanitize_sql_array(ar)
Foo.joins(sanitized_sql)
Tried it and it worked.
174
Active record models have sanitize class method, so you could do:
Foo.joins("LEFT OUTER JOIN bars ON foos.id = bars.foo_id AND bars.baz = #{Foo.sanitize(baz)}")
__
It's been removed starting rails 5.1, use ActiveRecord::Base.connection.quote() instead
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
