Rails 2.35 I’m may be wrong but I thought with an array in a

Question

0

Asked: May 24, 20262026-05-24T02:07:17+00:00 2026-05-24T02:07:17+00:00

Rails 2.35 I’m may be wrong but I thought with an array in a

0

Rails 2.35

I’m may be wrong but I thought with an array in a paramater, rails was suppose to comman seperate the array when used like below for a query. I know I can break the param out into a single quoted and comma seperated string. I was just curious is this can be automatically done by Rails and how I might go about it if so. Thank You

Parameters being sent:

Parameters: {"method"=>:get, "id"=>["3", "1", "4"]}

The SQL statement in the controller I’m using:

sql = "SELECT user.user_alias from users " +
"where user.id in (#{params[:id]}) " +
"AND user.user_alias is NOT NULL "
aliases = User.find_by_sql(sql)

The SQL string Rails outputs (the query results in the IN statement are just all togather ‘314):

SELECT User.user_alias 
from lte_users
where user.id in (314) 
AND user.user_alias is NOT NULL

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T02:07:18+00:00

Editorial Team

2026-05-24T02:07:18+00:00Added an answer on May 24, 2026 at 2:07 am

NEVER, never, do string concatenation in a SQL query, as someone might use this to perform an SQL Injection attack on your webapp.

You should be doing it like this:

sql = %Q{SELECT user.user_alias from users
  where user.id in (?) 
  AND user.user_alias is NOT NULL }
aliases = User.find_by_sql([ sql, params[:id] ])

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Rails 2.35 I’m may be wrong but I thought with an array in a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply