Skip to Content Skip to Search

module Arel



Public class methods

Wrap a known-safe SQL string for passing to query methods, e.g.

Post.order(Arel.sql("REPLACE(title, 'misc', 'zzzz') asc")).pluck(:id)

Great caution should be taken to avoid SQL injection vulnerabilities. This method should not be used with unsafe values such as request parameters or model attributes.

Take a look at the security guide for more information.

To construct a more complex query fragment, including the possible use of user-provided values, the sql_string may contain ? and :key placeholders, corresponding to the additional arguments. Note that this behavior only applies when bind value parameters are supplied in the call; without them, the placeholder tokens have no special meaning, and will be passed through to the query as-is.

The :retryable option can be used to mark the SQL as safe to retry. Use this option only if the SQL is idempotent, as it could be executed more than once.

Source code GitHub
# File activerecord/lib/arel.rb, line 52
def self.sql(sql_string, *positional_binds, retryable: false, **named_binds)
  if positional_binds.empty? && named_binds.empty?, retryable: retryable)
  else sql_string, positional_binds, named_binds

Definition files