Now ActiveRecord::Base.sanitize_sql_array supports two formats (example codes are quoted from test/cases/sanitize_test.rb)
- “% style”(printf style)
assert_equal "name='#{quoted_bambi}'", Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi"])
- “?” as placeholder
assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi"])
I want to deprecate and remove “% style”, there are three reasons why I will do it
-
I think in normal use case, almost “%” placeholder can be replace to “?”. If there are any use case where we can not replace them, please teach me:)
-
Usage of both are different, and sometime this difference creates insecure query
When we use “?”, we should not quote “?”. But when we use “%”, we should quote “%s” by ourselves. This is confusing and dangerous.
There were unquoted “%s” in Rails test codes Quote prepared statements of `sanitize_sql_array` by yui-knk · Pull Request #21758 · rails/rails · GitHub .
- In Rails guide, only “?” is explaind Active Record Query Interface — Ruby on Rails Guides.
Regards
yui-knk
