Rails 5.2: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s)

Asked May 03 '18 at 22:53

Active May 04 '18 at 00:57

Viewed 3,465 times

I've got a scope on a model that looks like this:

scope :indexed_by_array, lambda { |ids|
  order = sanitize_sql_array(
    ["position((',' || id::text || ',') in ?)", ids.join(',') + ',']
  )
  where(id: ids).order(order)
}

After upgrading to Rails 5.2 it gets a slew of deprecation warnings, a la:

Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "position((',' || id::text || ',') in ',')". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql().

How do I change that scope to play ball with Rails 5.2?

edited May 04 '18 at 00:57

mu is too short

426,620
70
833
800

asked May 03 '18 at 22:53

t56k

6,769
9
52
115

3

The solution is the same as the duplicate: `...order(Arel.sql(order))`. – mu is too short May 04 '18 at 00:56

Rails 5.2: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s)

0 Answers0