RFC: Remove support for "% style"(printf style) prepared statement from ActiveRecord

Now ActiveRecord::Base.sanitize_sql_array supports two formats (example codes are quoted from test/cases/sanitize_test.rb)

  1. “% style”(printf style)

assert_equal "name='#{quoted_bambi}'", Binary.send(:sanitize_sql_array, ["name='%s'", "Bambi"])

  1. “?” as placeholder

assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array, ["name=?", "Bambi"])

I want to deprecate and remove “% style”, there are three reasons why I will do it

  1. I think in normal use case, almost “%” placeholder can be replace to “?”. If there are any use case where we can not replace them, please teach me:)

  2. Usage of both are different, and sometime this difference creates insecure query

When we use “?”, we should not quote “?”. But when we use “%”, we should quote “%s” by ourselves. This is confusing and dangerous.

There were unquoted “%s” in Rails test codes https://github.com/rails/rails/pull/21758/files .

  1. In Rails guide, only “?” is explaind http://guides.rubyonrails.org/active_record_querying.html#array-conditions.



I do not think we would consider this proposal without a stronger reason as to why it is causing harm. It would be an unnecessary breaking change to existing apps.