thr3ads.net - Rails core - Feedback for PR 13008: SQL sanitization in AR::QueryMethods#order [Dec 2013]

If this information is useful, please help other people find it:
Share via:

Aaron Suggs

2013-Dec-06 22:27 UTC

Feedback for PR 13008: SQL sanitization in AR::QueryMethods#order

I''m looking for feedback on PR #13008: Support SQL sanitization in 
AR::QueryMethods#order <https://github.com/rails/rails/pull/13008>.

Currently, you can''t do SQL sanitized interpolation like
`[''?'', param]`
with AREL `order` clauses.

This sanitization would be useful for complex order clauses, e.g. like 
MySQL `ORDER BY FIELD(field, values...)`:

    Post.order("field(id, ?)", [2,3,1])

...or geolocation sorting in Postgresql:

    Location.order(''st_distance(latlon, ?) < ?'', location,
distance)

Without this patch, developers must remember to sanitize their inputs with 
more verbose, less common use methods.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.

Rails core - Dec 2013 - Feedback for PR 13008: SQL sanitization in AR::QueryMethods#order

Feedback for PR 13008: SQL sanitization in AR::QueryMethods#order