method

sql

Ruby on Rails latest stable (v7.1.3.2) - 0 notes - Class: Arel

1.0.0
1.1.6
1.2.6
2.0.3
2.1.0
2.2.1
2.3.8
3.0.0
3.0.9
3.1.0
3.2.1
3.2.8
3.2.13
4.0.2
4.1.8
4.2.1
4.2.7
4.2.9
5.0.0.1
5.1.7
5.2.3
6.0.0 (0)
6.1.3.1 (20)
6.1.7.7 (0)
7.0.0 (2)
7.1.3.2 (38)
7.1.3.4 (0)
What's this?

sql(sql_string, *positional_binds, **named_binds) public

Wrap a known-safe SQL string for passing to query methods, e.g.

Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)

Great caution should be taken to avoid SQL injection vulnerabilities. This method should not be used with unsafe values such as request parameters or model attributes.

Take a look at the security guide for more information.

To construct a more complex query fragment, including the possible use of user-provided values, the sql_string may contain ? and :key placeholders, corresponding to the additional arguments. Note that this behavior only applies when bind value parameters are supplied in the call; without them, the placeholder tokens have no special meaning, and will be passed through to the query as-is.

Show source

# File activerecord/lib/arel.rb, line 48
  def self.sql(sql_string, *positional_binds, **named_binds)
    if positional_binds.empty? && named_binds.empty?
      Arel::Nodes::SqlLiteral.new sql_string
    else
      Arel::Nodes::BoundSqlLiteral.new sql_string, positional_binds, named_binds
    end
  end

sql

Related methods