Hi group. I've written a patch for Arel to provide a feature similar to the ActiveSupport::SafeBuffer class that allows for by-passing some of Arel's quoting mechanisms when using, say, String#sql_safe, similar to #html_safe. I've come across situations where sometimes I want to perhaps use a native database function or something to that effect where I don't want an entire value quoted and want it to pass through to SQL untouched, i.e.
MyModel.create(:field => 'now()') Basically, I ported ActiveSupport::SafeBuffer to Arel::SafeBuffer and it would allow for things like MyModel.create(:field => 'now()'.sql_safe) I know this sort of feature has the potential to be abused and lead to SQL injection attacks, so as a sanity check, I figured I'd check to see if this sort of feature would be useful or if I'm as crazy as I may potentially be for bringing it up. I think if care were taken with its use, it could be pretty useful, as there have been a good number of occasions where I would have liked to have used this sort of mechanism. (I use PostGIS quite often which provides a bunch of spatial functions for PostgreSQL, for instance.) I'm also thinking someone must have done something similar to this before but I can't seem to track anything down on the subject. Anyways, comments, anyone? Would this sort of thing be as useful and potentially disastrous as I think it would be? Cheers. J -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
