Escaping SQL when using connection.execute?

Hi all,

Here's the situation: I'm writing a Rails app that connect to a SQL
Server DB via the ODBC adapter. As an outside, non-negotiable
requirement, and writes to the DB must be performed using stored
procedures. (I know, I know... it sucks).

When constructing the query string, how do I go about escaping the
parameters I want to insert.

My first thought was Rail's parameterization of query strings:
Model.connection.execute ["EXECUTE dumb_sp '?','?','?'", a, b, c]
No luck, execute doesn't accept that, it will only accept a string.

Am I stuck with gsubbing all those strings or is there away to compile
the array form to a query that I could use?

Thanks,

Andrew

Check the Rails API for various sanitize_sql_* methods.

Steve,

That was my first thought. However they are protected methods of
ActionController::Base. I was hoping to write the methods in the
model, where they belong.

Andrew

Steve,

That was my first thought. However they are protected methods of
ActionController::Base. I was hoping to write the methods in the
model, where they belong.

I'm sure you meant ActiveRecord::Base :slight_smile: Shouldn't be a problem
calling them from a model. They're class methods though, so if you
were doing this from an instance method you'd have to do a slightly
ugly self.class.send(:sanitize_sql ...).

Fred