Method: ActiveRecord::Sanitization::ClassMethods#sanitize_sql_for_conditions

Defined in:: activerecord/lib/active_record/sanitization.rb

#sanitize_sql_for_conditions(condition) ⇒ `Object` Also known as: sanitize_sql

Accepts an array of SQL conditions and sanitizes them into a valid SQL fragment for a WHERE clause.

sanitize_sql_for_conditions(["name=? and group_id=?", "foo'bar", 4])
# => "name='foo''bar' and group_id=4"

sanitize_sql_for_conditions(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])
# => "name='foo''bar' and group_id='4'"

sanitize_sql_for_conditions(["name='%s' and group_id='%s'", "foo'bar", 4])
# => "name='foo''bar' and group_id='4'"

This method will NOT sanitize an SQL string since it won’t contain any conditions in it and will return the string as is.

sanitize_sql_for_conditions("name='foo''bar' and group_id='4'")
# => "name='foo''bar' and group_id='4'"

Note that this sanitization method is not schema-aware, hence won’t do any type casting and will directly use the database adapter’s quote method. For MySQL specifically this means that numeric parameters will be quoted as strings to prevent query manipulation attacks.

sanitize_sql_for_conditions(["role = ?", 0])
# => "role = '0'"

# File 'activerecord/lib/active_record/sanitization.rb', line 33

def sanitize_sql_for_conditions(condition)
  return nil if condition.blank?

  case condition
  when Array; sanitize_sql_array(condition)
  else        condition
  end
end

Method: ActiveRecord::Sanitization::ClassMethods#sanitize_sql_for_conditions

#sanitize_sql_for_conditions(condition) ⇒ Object Also known as: sanitize_sql

#sanitize_sql_for_conditions(condition) ⇒ `Object` Also known as: sanitize_sql