mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Merge pull request #41626 from angdraug/find_by_sql_injection_warning
Reiterate the SQL injection warning in find_by_sql API doc
This commit is contained in:
commit
ac48eed08f
1 changed files with 3 additions and 0 deletions
|
@ -43,6 +43,9 @@ module ActiveRecord
|
|||
#
|
||||
# Post.find_by_sql ["SELECT title FROM posts WHERE author = ? AND created > ?", author_id, start_date]
|
||||
# Post.find_by_sql ["SELECT body FROM comments WHERE author = :user_id OR approved_by = :user_id", { :user_id => user_id }]
|
||||
#
|
||||
# Note that building your own SQL query string from user input may expose your application to
|
||||
# injection attacks (https://guides.rubyonrails.org/security.html#sql-injection).
|
||||
def find_by_sql(sql, binds = [], preparable: nil, &block)
|
||||
_load_from_sql(_query_by_sql(sql, binds, preparable: preparable), &block)
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue