Merge pull request rails#47734 from olefriis/add-arel-node-docs-for-binding-parameters-and-plus

matthewd · web-flow · commit 65115f731c68 · 2023-03-29T19:00:36.000+10:30
Add docs on Arel.sql binding parameters and +
diff --git a/activerecord/lib/arel/nodes/node.rb b/activerecord/lib/arel/nodes/node.rb
@@ -18,7 +18,7 @@ module Nodes
     # most nodes include a couple of useful factory methods to create subtree structures for common constraints. For
     # a full list of those, please refer to Arel::Predications.
     #
-    # The following example creates a equality constraint where the value of the name column on the users table
+    # The following example creates an equality constraint where the value of the name column on the users table
     # matches the value DHH.
     #
     #   users = Arel::Table.new(:users)
@@ -36,8 +36,8 @@ module Nodes
     #
     #   "users"."name" = 'DHH'
     #
-    # The constraint fragments can be used with regular ActiveRecord::Relation objects instead of as Hash. The
-    # following two example shows two ways of creating the same query.
+    # The constraint fragments can be used with regular ActiveRecord::Relation objects instead of a Hash. The
+    # following two examples show two ways of creating the same query.
     #
     #   User.where(name: 'DHH')
     #
@@ -51,7 +51,7 @@ module Nodes
     #
     # == Functions
     #
-    # Arel comes with built in support for SQL functions like +COUNT+, +SUM+, +MIN+, +MAX+, and +AVG+. The
+    # Arel comes with built-in support for SQL functions like +COUNT+, +SUM+, +MIN+, +MAX+, and +AVG+. The
     # Arel::Expressions module includes factory methods for the default functions.
     #
     #   employees = Employee.arel_table
@@ -73,7 +73,7 @@ module Nodes
     # Values that you pass to Arel nodes need to be quoted or wrapped in bind params. This ensures they are properly
     # converted into the correct format without introducing a possible SQL injection vulnerability. Most factory
     # methods (like +eq+, +gt+, +lteq+, …) quote passed values automatically. When not using a factory method, it’s
-    # possible to convert a value and wrap it in a Arel::Nodes::Quoted node (if necessary) by calling +Arel::Nodes.
+    # possible to convert a value and wrap it in an Arel::Nodes::Quoted node (if necessary) by calling +Arel::Nodes.
     # build_quoted+.
     #
     #   Arel::Nodes.build_quoted("foo") # 'foo'
@@ -98,7 +98,21 @@ module Nodes
     #
     #   # LOWER("users"."name") = 'dhh'
     #
-    # Please keep in mind that passing data as raw SQL literals might introduce a possible SQL injection.
+    # Please keep in mind that passing data as raw SQL literals might introduce a possible SQL injection. However,
+    # `Arel.sql` supports binding parameters which will ensure proper quoting. This can be useful when you need to
+    # control the exact SQL you run, but you still have potentially user-supplied values.
+    #
+    #   Arel.sql('LOWER("users"."name") = ?', 'dhh')
+    #
+    #   # LOWER("users"."name") = 'dhh'
+    #
+    # You can also combine SQL literals.
+    #
+    #   sql = Arel.sql('SELECT * FROM "users" WHERE ')
+    #   sql += Arel.sql('LOWER("users"."name") = :name', name: 'dhh')
+    #   sql += Arel.sql('AND "users"."age" > :age', age: 35)
+    #
+    #   # SELECT * FROM "users" WHERE LOWER("users"."name") = 'dhh' AND "users"."age" > '35'
     class Node
       include Arel::FactoryMethods
 

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ module Nodes`
`18`	`18`	`# most nodes include a couple of useful factory methods to create subtree structures for common constraints. For`
`19`	`19`	`# a full list of those, please refer to Arel::Predications.`
`20`	`20`	`#`
`21`		`- # The following example creates a equality constraint where the value of the name column on the users table`
	`21`	`+ # The following example creates an equality constraint where the value of the name column on the users table`
`22`	`22`	`# matches the value DHH.`
`23`	`23`	`#`
`24`	`24`	`# users = Arel::Table.new(:users)`
`@@ -36,8 +36,8 @@ module Nodes`
`36`	`36`	`#`
`37`	`37`	`# "users"."name" = 'DHH'`
`38`	`38`	`#`
`39`		`- # The constraint fragments can be used with regular ActiveRecord::Relation objects instead of as Hash. The`
`40`		`- # following two example shows two ways of creating the same query.`
	`39`	`+ # The constraint fragments can be used with regular ActiveRecord::Relation objects instead of a Hash. The`
	`40`	`+ # following two examples show two ways of creating the same query.`
`41`	`41`	`#`
`42`	`42`	`# User.where(name: 'DHH')`
`43`	`43`	`#`
`@@ -51,7 +51,7 @@ module Nodes`
`51`	`51`	`#`
`52`	`52`	`# == Functions`
`53`	`53`	`#`
`54`		`- # Arel comes with built in support for SQL functions like +COUNT+, +SUM+, +MIN+, +MAX+, and +AVG+. The`
	`54`	`+ # Arel comes with built-in support for SQL functions like +COUNT+, +SUM+, +MIN+, +MAX+, and +AVG+. The`
`55`	`55`	`# Arel::Expressions module includes factory methods for the default functions.`
`56`	`56`	`#`
`57`	`57`	`# employees = Employee.arel_table`
`@@ -73,7 +73,7 @@ module Nodes`
`73`	`73`	`# Values that you pass to Arel nodes need to be quoted or wrapped in bind params. This ensures they are properly`
`74`	`74`	`# converted into the correct format without introducing a possible SQL injection vulnerability. Most factory`
`75`	`75`	`# methods (like +eq+, +gt+, +lteq+, …) quote passed values automatically. When not using a factory method, it’s`
`76`		`- # possible to convert a value and wrap it in a Arel::Nodes::Quoted node (if necessary) by calling +Arel::Nodes.`
	`76`	`+ # possible to convert a value and wrap it in an Arel::Nodes::Quoted node (if necessary) by calling +Arel::Nodes.`
`77`	`77`	`# build_quoted+.`
`78`	`78`	`#`
`79`	`79`	`# Arel::Nodes.build_quoted("foo") # 'foo'`
`@@ -98,7 +98,21 @@ module Nodes`
`98`	`98`	`#`
`99`	`99`	`# # LOWER("users"."name") = 'dhh'`
`100`	`100`	`#`
`101`		`- # Please keep in mind that passing data as raw SQL literals might introduce a possible SQL injection.`
	`101`	`+ # Please keep in mind that passing data as raw SQL literals might introduce a possible SQL injection. However,`
	`102`	+ # `Arel.sql` supports binding parameters which will ensure proper quoting. This can be useful when you need to
	`103`	`+ # control the exact SQL you run, but you still have potentially user-supplied values.`
	`104`	`+ #`
	`105`	`+ # Arel.sql('LOWER("users"."name") = ?', 'dhh')`
	`106`	`+ #`
	`107`	`+ # # LOWER("users"."name") = 'dhh'`
	`108`	`+ #`
	`109`	`+ # You can also combine SQL literals.`
	`110`	`+ #`
	`111`	`+ # sql = Arel.sql('SELECT * FROM "users" WHERE ')`
	`112`	`+ # sql += Arel.sql('LOWER("users"."name") = :name', name: 'dhh')`
	`113`	`+ # sql += Arel.sql('AND "users"."age" > :age', age: 35)`
	`114`	`+ #`
	`115`	`+ # # SELECT * FROM "users" WHERE LOWER("users"."name") = 'dhh' AND "users"."age" > '35'`
`102`	`116`	`class Node`
`103`	`117`	`include Arel::FactoryMethods`
`104`	`118`