I would agree to using Arel.sql too. I had a patch in recently that made sure that #limit would allow a that value to be passed thru to Arel untouched. I think more relation methods should do this. Just recently I had a user on the sqlserver adapter list wanting to pass a complex sql literal to #order. I could be wrong, but that method too does not allow the Arel::Nodes::SqlLiteral to pass thru unescaped. When I have time later, I may look at submitting a patch there too. But it does raise the point that in places where it is appropriate that ActiveRecord always allow these nodes to pass down unescaped.
- Ken On Mar 17, 2011, at 5:52 AM, Ernie Miller wrote: > On Mar 16, 6:15 pm, J Smith <[email protected]> wrote: >> I know this sort of feature has the potential to be abused and lead to >> SQL injection attacks, so as a sanity check, I figured I'd check to >> see if this sort of feature would be useful or if I'm as crazy as I >> may potentially be for bringing it up. I think if care were taken with >> its use, it could be pretty useful, as there have been a good number >> of occasions where I would have liked to have used this sort of >> mechanism. (I use PostGIS quite often which provides a bunch of >> spatial functions for PostgreSQL, for instance.) I'm also thinking >> someone must have done something similar to this before but I can't >> seem to track anything down on the subject. >> >> Anyways, comments, anyone? Would this sort of thing be as useful and >> potentially disastrous as I think it would be? >> > > The Arel.sql factory method already enables the easy creation of > SqlLiterals without monkeypatching String. Seems to me that this > method doesn't really give us anything much more convenient than that, > for the times when this sort of thing is needed. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
