Escaping SQL when using connection.execute?

Andrew_Selder1 · August 1, 2008, 5:15pm

Hi all,

Here's the situation: I'm writing a Rails app that connect to a SQL Server DB via the ODBC adapter. As an outside, non-negotiable requirement, and writes to the DB must be performed using stored procedures. (I know, I know... it sucks).

When constructing the query string, how do I go about escaping the parameters I want to insert.

My first thought was Rail's parameterization of query strings: Model.connection.execute ["EXECUTE dumb_sp '?','?','?'", a, b, c] No luck, execute doesn't accept that, it will only accept a string.

Am I stuck with gsubbing all those strings or is there away to compile the array form to a query that I could use?

Thanks,

Andrew

Steve_Downey · August 1, 2008, 7:30pm

Check the Rails API for various sanitize_sql_* methods.

Andrew_Selder1 · August 4, 2008, 4:04pm

Steve,

That was my first thought. However they are protected methods of ActionController::Base. I was hoping to write the methods in the model, where they belong.

Andrew

Frederick_Cheung · August 4, 2008, 4:18pm

Steve,

That was my first thought. However they are protected methods of ActionController::Base. I was hoping to write the methods in the model, where they belong.

I'm sure you meant ActiveRecord::Base Shouldn't be a problem
calling them from a model. They're class methods though, so if you
were doing this from an instance method you'd have to do a slightly
ugly self.class.send(:sanitize_sql ...).

Fred