1

The following warning is appearing on certain controller actions.

DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): 
"CASE id WHEN 343[...]". Non-attribute arguments will be disallowed in Rails 6.0. 
This method should not be called with user-provided values, 
such as request parameters or model attributes.

But this method is not being called by "user-provided" values:

def find_ordered(ids)
  order_clause = "CASE id "
  ids.each_with_index do |id, index|
    order_clause << "WHEN #{id} THEN #{index} "
  end
  order_clause << "ELSE #{ids.length} END"
  where(id: ids).order(order_clause)
end

it does invoke model attributes. So how can this initializer method be syntaxed to be acceptable to Rails 6?

Improve this question
0

1 Answer 1

Reset to default
2

It is not strictly 'user-provided value' but Rails cannot have any way to know whether a string comes from a user or is hard coded in the program.

The way to get around this is to use Arel.sql

Wrap a known-safe SQL string for passing to query methods, e.g.

where(id: ids).order(Arel.sql(order_clause))
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.