Menu
Rails 2.3.5
I know I should be doing find_by_sql with sanatized variables like:
sql = %Q{
SELECT blah
FROM blah
ORDER BY ? DESC
}
But, since the variable will be single quoted, the ORDER BY clause won't work. I know that un-sanitized I could just do:
sql = %Q{
SELECT blah
FROM blah
ORDER BY #{params[:sort]} DESC
}
What's the best way to handle needing a sanatized varialbe in an ORDER BY clause? Thanks!
449
Maybe a little hack but i escape params sometimes like this.
sql = AnyActiveRecordModel.send(:sanitize_sql_array, ["SELECT blah FROM blah ORDER BY ? DESC", params[:sort])
sanitize_sql_array is a private class method of an active record model and like this you can access it. It is the same method which is used in the conditions in a AR find
AnyActiveRecordModel.find(:all, :conditions => ["condition = ?",params[:blah]]
It is dirty but i didnt know to solve it in a better way and I had a time limit :P
147
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
