Escaping SQL when using connection.execute?

starmaerker · August 1, 2008, 7:17pm

Hi all,

Here’s the situation: I’m writing a Rails app that connect to a SQL
Server DB via the ODBC adapter. As an outside, non-negotiable
requirement, and writes to the DB must be performed using stored
procedures. (I know, I know… it sucks).

When constructing the query string, how do I go about escaping the
parameters I want to insert.

My first thought was Rail’s parameterization of query strings:
Model.connection.execute [“EXECUTE dumb_sp ‘?’,’?’,’?’”, a, b, c]
No luck, execute doesn’t accept that, it will only accept a string.

Am I stuck with gsubbing all those strings or is there away to compile
the array form to a query that I could use?

Thanks,

Andrew

starmaerker · August 1, 2008, 9:30pm

Check the Rails API for various sanitize_sql_* methods.

starmaerker · August 4, 2008, 6:05pm

Steve,

That was my first thought. However they are protected methods of
ActionController::Base. I was hoping to write the methods in the
model, where they belong.

Andrew

starmaerker · August 4, 2008, 6:19pm

On 4 Aug 2008, at 17:04, Andrew S. wrote:

Steve,

That was my first thought. However they are protected methods of
ActionController::Base. I was hoping to write the methods in the
model, where they belong.

I’m sure you meant ActiveRecord::Base Shouldn’t be a problem
calling them from a model. They’re class methods though, so if you
were doing this from an instance method you’d have to do a slightly
ugly self.class.send(:sanitize_sql …).

Fred