Now `ActiveRecord::Base.sanitize_sql_array` supports two formats (example
codes are quoted from test/cases/sanitize_test.rb)
1. "% style"(printf style)
```
assert_equal "name='#{quoted_bambi}'", Binary.send(:sanitize_sql_array,
["name='%s'", "Bambi"])
```
2. "?" as placeholder
```
assert_equal "name=#{quoted_bambi}", Binary.send(:sanitize_sql_array,
["name=?", "Bambi"])
```
I want to deprecate and remove "% style", there are three reasons why I
will do it
1. I think in normal use case, almost "%" placeholder can be replace to
"?". If there are any use case where we can not replace them, please teach
me:)
2. Usage of both are different, and sometime this difference creates
insecure query
When we use "?", we should not quote "?". But when we use "%", we should
quote "%s" by ourselves. This is confusing and dangerous.
There were unquoted "%s" in Rails test
codes https://github.com/rails/rails/pull/21758/files .
3. In Rails guide, only "?" is
explaind
http://guides.rubyonrails.org/active_record_querying.html#array-conditions.
Regards
yui-knk
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
