Feedback for PR 13008: SQL sanitization in AR::QueryMethods#order

Aaron_Suggs · December 6, 2013, 10:27pm

Currently, you can’t do SQL sanitized interpolation like ['?', param] with AREL order clauses.

This sanitization would be useful for complex order clauses, e.g. like MySQL ORDER BY FIELD(field, values...):

Post.order(“field(id, ?)”, [2,3,1])

…or geolocation sorting in Postgresql:

Location.order(‘st_distance(latlon, ?) < ?’, location, distance)

Without this patch, developers must remember to sanitize their inputs with more verbose, less common use methods.

Topic		Replies	Views
Default AR order behaviour A May Of WTFs	25	1996	May 16, 2020
[ActiveRecord] Add NULLS LAST ordering to Arel rubyonrails-core feature	3	1598	February 20, 2021
Non-attribute arguments - normally worked around with Arel.sql but with param substitution in "where" rubyonrails-talk	1	1135	March 7, 2023
Arel and a SafeBuffer? rubyonrails-core	5	221	March 17, 2011
Why is Sanitizing SQL Fragments so Highly Muddled? rubyonrails-talk	5	277	May 7, 2014