Sanitize SQL?

I have the following code in my model, that executes a stored procedure:

    connection.execute "exec PS_SaveData ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?",
                           day.to_s, crew_leader.to_s, dayshiftyn.to_s, numtrucks.to_s,

                           numrounds.to_s, numdigouts.to_s, shuttlebuggyyn.to_s, notes.to_s,
                           jobid.to_s, sequence.to_s, material.to_s, oil.to_s, tons.to_s,
                           plant.to_s, site.to_s

It doesn’t work, because connection.execute just wants the SQL string to be passed to it. I’m also looking at this code in ActiveRecord::Base, in an attempt to see how Rails sanitizes sql…

581: def find_by_sql(sql)

582: connection.select_all(sanitize_sql(sql), "#{name} Load").collect! { |record| instantiate(record) }

583: end

But I’m not sure how to apply it to my code above. Help?

TIA,

  • Clinton

I have the following code in my model, that executes a stored
procedure:

        connection.execute "exec
PS_SaveData ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?",
                               day.to_s, crew_leader.to_s,
dayshiftyn.to_s, numtrucks.to_s,
                               numrounds.to_s, numdigouts.to_s,
shuttlebuggyyn.to_s, notes.to_s,
                               jobid.to_s, sequence.to_s,
material.to_s, oil.to_s, tons.to_s,
                               plant.to_s, site.to_s

It doesn't work, because connection.execute just wants the SQL
string to be passed to it. I'm also looking at this code in
ActiveRecord::Base, in an attempt to see how Rails sanitizes sql...

581: def find_by_sql(sql)

582: connection.select_all(sanitize_sql(sql), "#{name}
Load").collect! { |record| instantiate(record) }

583: end

But I'm not sure how to apply it to my code above. Help?

The sanitize_sql function just wants an array whose first element is
an SQL fragment and the following ones the variables to be inserted.

Fred

Thanks! I got it working here.

    sql = ["exec PS_SaveData ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?",
            day.to_s, crew_leader.to_s, dayshiftyn.to_s, numtrucks.to_s,

            numrounds.to_s, numdigouts.to_s, shuttlebuggyyn.to_s, notes.to_s,
            jobid.to_s, sequence.to_s, material.to_s, oil.to_s, tons.to_s,
            plant.to_s, site.to_s]
   

    connection.execute(sanitize_sql(sql))