-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathArel.html
129 lines (65 loc) · 3.35 KB
/
Arel.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
---
title: Arel
layout: default
---
<div class="main">
<div class="banner">
<span>Ruby on Rails 8.0.0</span><br />
<div class="type">Module</div>
<h1>
Arel
</h1>
<ul class="files">
<li><a href="../files/activerecord/lib/arel_rb.html">activerecord/lib/arel.rb</a></li>
</ul>
</div>
<div id="bodyContent">
<div id="content">
<h2 id="methods">Methods</h2>
<ul>
<li>
<a href="#method-c-sql">sql</a>
</li>
</ul>
<!-- Section constants -->
<h2 id="constants">Constants</h2>
<table border='0' cellpadding='5'>
<tr valign='top'>
<td class="attr-name">VERSION</td>
<td>=</td>
<td class="attr-value">"10.0.0"</td>
</tr>
</table>
<!-- Methods -->
<h2 id="class-public-methods">Class Public methods</h2>
<div class="method">
<h3 id="method-c-sql">
sql(sql_string, *positional_binds, retryable: false, **named_binds)
</h3>
<div class="description">
<p>Wrap a known-safe SQL string for passing to query methods, e.g.</p>
<pre><code>Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)
</code></pre>
<p>Great caution should be taken to avoid SQL injection vulnerabilities. This method should not be used with unsafe values such as request parameters or model attributes.</p>
<p>Take a look at the <a href="https://guides.rubyonrails.org/security.html#sql-injection">security guide</a> for more information.</p>
<p>To construct a more complex query fragment, including the possible use of user-provided values, the <code>sql_string</code> may contain <code>?</code> and <code>:key</code> placeholders, corresponding to the additional arguments. Note that this behavior only applies when bind value parameters are supplied in the call; without them, the placeholder tokens have no special meaning, and will be passed through to the query as-is.</p>
<p>The <code>:retryable</code> option can be used to mark the SQL as safe to retry. Use this option only if the SQL is idempotent, as it could be executed more than once.</p>
</div>
<details class="method__source">
<summary>
<span class="label">📝 Source code</span>
</summary>
<pre><code class="ruby"># File activerecord/lib/arel.rb, line 52
def self.sql(sql_string, *positional_binds, retryable: false, **named_binds)
if positional_binds.empty? && named_binds.empty?
Arel::Nodes::SqlLiteral.new(sql_string, retryable: retryable)
else
Arel::Nodes::BoundSqlLiteral.new sql_string, positional_binds, named_binds
end
end</code></pre>
<a href="https://github.com/rails/rails/blob/dd8f7185faeca6ee968a6e9367f6d8601a83b8db/activerecord/lib/arel.rb#L52" target="_blank" class="github_url">🔎 See on GitHub</a>
</details>
</div>
</div>
</div>
</div>