method

sanitize_sql

v1.0.0 - Show latest stable - Class: ActiveRecord::Base

sanitize_sql(ary)

protected

Accepts an array or string. The string is returned untouched, but the array has each value sanitized and interpolated into the sql statement.

  ["name='%s' and group_id='%s'", "foo'bar", 4]  returns  "name='foo''bar' and group_id='4'"

# File activerecord/lib/active_record/base.rb, line 1115
        def sanitize_sql(ary)
          return ary unless ary.is_a?(Array)

          statement, *values = ary
          if values.first.is_a?(Hash) and statement =~ /:\w+/
            replace_named_bind_variables(statement, values.first)
          elsif statement.include?('?')
            replace_bind_variables(statement, values)
          else
            statement % values.collect { |value| connection.quote_string(value.to_s) }
          end
        end

2Notes

What to use instead

cayblood · Jan 2, 20093 thanks

For versions 2.0+, use ActiveRecord::Base::sanitize_sql_array

Alternate for Rails 2.0

eric_programmer · Jan 23, 20091 thank

Obviously these methods are protected so usage in an app is discouraged. But if you need to use it anyway for some reason Rails 2.0 also has sanitize_sql_for_conditions which operates exactly like sanitize_sql used to (i.e. it determines if it needs to be processed as an array or hash). So if you are going to blow by the protected status might as well use the easier version. :)

sanitize_sql

2Notes

What to use instead

Alternate for Rails 2.0

Related methods