ruby on rails - How to safely pass parameters to ActiveRecord#select() when using PostgreSQL -

-

i have method takes column name , defines scope on model. scope makes use of postgresql window functions (like rank() , row_number()), adding additional column resulting dataset. example, user.ranked_on_score should add rank() column aliased score_ranking.

currently, achieved simple string interpolation (pseudocode): 

window_alias = "#{attr}_rankings" result_alias = "#{attr}_ranking"  select("users.*, #{window_alias}.#{result_alias}") .join("join (select id, rank() on (order #{attr} asc) #{result_alias} ...")

considering, scope should defined macro beforehand , doesn't take input users, approach should safe; nevertheless, don't it.

i know sanitize_sql method, doesn't work in case. wraps parameters in single quotes fine in where clause, raises syntax errors if used in select clause (pg requires identifiers wrapped in double quotes).

is there built-in method identifier sanitization? or should leave that?

have tried quote_column_name? it's undocumented reason, should need.

window_alias = quote_column_name("#{attr}_rankings") result_alias = quote_column_name("#{attr}_ranking")

under hood, it's equivalent calling pgconn.quote_ident when using postgresql.


Comments

Post a Comment

Popular posts from this blog

html - Styling progress bar with inline style -

-
i trying set progress bar color red using inline style. need in way because have access <body> part of document. style need apply: progress { color: red } progress::-moz-progress-bar { background: red;} progress::-webkit-progress-value { background: red; } progress[aria-valuenow]:before { background: red; } i tried <progress style="background: red;"> incorrect effect, progress bar color turns blue red background. guide right direction desired style? thank in advance. here live example: https://jsfiddle.net/z36d3f6l/
Read more

java - Oracle Sql developer error: could not install some modules -

-
i have downloaded fresh copy of sqldeveloper ( sqldeveloper-4.1.3.20.78-no-jre ) oracle website. when unzip , lauch gui, keep getting following error message: warning - not install modules: dynamic module config - no module providing capability org.netbeans.netbinox found. my system: windows 7 32 bit hp probook. jdk 1.6 , 1.7, 1.8 available in java/jdk subdirectory. netbeans 8.0.2 installed finally got way out after dirty hours. extracted sqldeveloper zip in nested directory. i.e: e://a/b/c/sqldeveloper. starting sqldeveloper gui above directory threw erros. solution: go in c:\users**username**\appdata\roaming : delete sql developer , sqldeveloper folders extract sql developer zip in new non nested directory. i.e: e:// start , should work now reference: https://community.oracle.com/thread/3870680?start=0&tstart=0
Read more

How to use autoclose brackets in Jupyter notebook? -

-
this may sound silly question, how make use of autoclose brackets in jupyter notebook? example, when type print( jupyter notebook auto-closes brakets print() and places cursor inside. type argument, say print(1 + 1) now cursor between second 1 , right bracket ) . key navigate right of ) ? of course can press end or → or ) achieve this, not seem save time, purpose of brackets autoclose suppose? thanks in advance.
Read more