I love new Rail 3! The new query syntax is so awesome: users =

Question

0

Editorial Team

Asked: May 16, 20262026-05-16T00:34:40+00:00 2026-05-16T00:34:40+00:00

I love new Rail 3! The new query syntax is so awesome: users =

0

I love new Rail 3!

The new query syntax is so awesome:

users = User.where(:name => 'Bob', :last_name => 'Brown')

But when we need to do something like

SELECT * FROM Users WHERE Age >= const AND Money > const2

We have to use

users = User.where('Age >= ? and money > ?', const, const2)

Which is not very cool. The following query is not safe because of SQL injection:

users = User.where('Age >= #{const} and money > #{const2}')

I like the C#/LINQ version

var users = DB.Where(u => u.Age >= const && u.Money > const2);

Is there a way to do something like that in Rails?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T00:34:41+00:00

The new querying with rails isn’t vulnerable to SQL injection. Any quotes in the argument are escaped.

Rails 3 AR has gained the delayed execution that LINQ has had for a while. This lets you chain any of the query methods. The only time you have to put 2 or more parts into a where is when you want an OR.

That aside, there are many different ways to do your query.

Users.where('age >= ?', age).where('money > ?', money)
Users.where('age >= ? and money > ?', age, money)

class User < ActiveRecord::Base
  scope :aged, lambda { |age| where('age >= ?', age) }
  scope :enough_money, lambda { |money| where('money > ?', money) }

  scope :can_admit, lambda { |age, money| aged(age).enough_money(money) }
end

Users.aged(18).enough_money(200)
Users.can_admit(18, 200)

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I love new Rail 3! The new query syntax is so awesome: users =

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply