I have complex SQL query. I need safely to pass parameters to SQL query. How can I avoid sql injections without using activerecord? Where should I keep SQL models/controllers? Does anyone know good practice to work with SQL server without activerecord?
Asked
Active
Viewed 1,516 times
2 Answers
0
ActiveRecord has sanitize_sql functions for this.
You can check the source code of this methods.
Andrei Andrushkevich
- 9,905
- 4
- 31
- 42
0
When you bypass ActiveRecord you pretty much have to do everything manually. I assume you have good reasons for doing so.
ActiveRecord::Base has the following methods: sanitize_sql_for_assignments (for set) and sanitize_sql_for_conditions (for select). There are a few other sanitize_sql_* that are probably worth looking at too. Both accept a hash (uses the keys as column names) or a string.
I could be mistaken, but to fetch records and skip ActiveRecord, I think you use ActiveRecord::Base.connection.execute(sql) which should return objects from your database connector. Checks the docs for the connector to see what is returned and how to work with it.
As for best practices, sorry, I can't help you there :-)
brettish
- 2,628
- 3
- 17
- 22