Rails 2.3.5 I know I should be doing find_by_sql with sanatized variables like: sql

Question

0

Editorial Team

Asked: May 24, 20262026-05-24T10:54:30+00:00 2026-05-24T10:54:30+00:00

Rails 2.3.5 I know I should be doing find_by_sql with sanatized variables like: sql

0

Rails 2.3.5

I know I should be doing find_by_sql with sanatized variables like:

sql = %Q{
SELECT blah
FROM blah
ORDER BY ? DESC
      }

But, since the variable will be single quoted, the ORDER BY clause won’t work. I know that un-sanitized I could just do:

sql = %Q{
SELECT blah
FROM blah
ORDER BY #{params[:sort]} DESC
      }

What’s the best way to handle needing a sanatized varialbe in an ORDER BY clause? Thanks!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T10:54:31+00:00

Maybe a little hack but i escape params sometimes like this.

sql = AnyActiveRecordModel.send(:sanitize_sql_array, ["SELECT blah FROM blah ORDER BY ? DESC", params[:sort])

sanitize_sql_array is a private class method of an active record model and like this you can access it. It is the same method which is used in the conditions in a AR find

AnyActiveRecordModel.find(:all, :conditions => ["condition = ?",params[:blah]]

It is dirty but i didnt know to solve it in a better way and I had a time limit 😛

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Rails 2.3.5 I know I should be doing find_by_sql with sanatized variables like: sql

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply