Merge pull request #13008 from ktheory/sanitize_order

Support SQL sanitization in AR::QueryMethods#order

2 files changed, 12 insertions, 0 deletions

diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index f5afc1000d..ad6c7fa2e5 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1045,6 +1045,13 @@ module ActiveRecord
     end
 
     def preprocess_order_args(order_args)
+      order_args.map! do |arg|
+        if arg.is_a?(Array) && arg.first.to_s.include?('?')
+          klass.send(:sanitize_sql, arg)
+        else
+          arg
+        end
+      end
       order_args.flatten!
       validate_order_args(order_args)
 
diff --git a/activerecord/test/cases/relations_test.rb b/activerecord/test/cases/relations_test.rb
index 7521f0573a..cd23c1b3e1 100644
--- a/activerecord/test/cases/relations_test.rb
+++ b/activerecord/test/cases/relations_test.rb
@@ -297,6 +297,11 @@ class RelationTest < ActiveRecord::TestCase
     assert_equal 3, tags.length
   end
 
+  def test_finding_with_sanitized_order
+    query = Tag.order(["field(id, ?)", [1,3,2]]).to_sql
+    assert_match(/field\(id, 1,3,2\)/, query)
+  end
+
   def test_finding_with_order_limit_and_offset
     entrants = Entrant.order("id ASC").limit(2).offset(1)