diff options
| author | David Heinemeier Hansson <david@loudthinking.com> | 2004-12-07 21:14:20 +0000 |
|---|---|---|
| committer | David Heinemeier Hansson <david@loudthinking.com> | 2004-12-07 21:14:20 +0000 |
| commit | a775cb190312edba8ef3feb6345ac446d7e8f113 (patch) | |
| tree | 31e730e99c36e0883f348a58df200a8ba8a4d424 /activerecord/lib | |
| parent | 7a29764657eb75c516478bc31e88233601aae20e (diff) | |
| download | rails-a775cb190312edba8ef3feb6345ac446d7e8f113.tar.gz rails-a775cb190312edba8ef3feb6345ac446d7e8f113.tar.bz2 rails-a775cb190312edba8ef3feb6345ac446d7e8f113.zip | |
Added the option for sanitizing find_by_sql and the offset parts in regular finds [Sam Stephenson]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@75 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'activerecord/lib')
| -rwxr-xr-x | activerecord/lib/active_record/base.rb | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/activerecord/lib/active_record/base.rb b/activerecord/lib/active_record/base.rb index f52a1524d2..b876f83abb 100755 --- a/activerecord/lib/active_record/base.rb +++ b/activerecord/lib/active_record/base.rb @@ -274,21 +274,25 @@ module ActiveRecord #:nodoc: # Returns an array of all the objects that could be instantiated from the associated # table in the database. The +conditions+ can be used to narrow the selection of objects (WHERE-part), # such as by "color = 'red'", and arrangement of the selection can be done through +orderings+ (ORDER BY-part), - # such as by "last_name, first_name DESC". A maximum of returned objects can be specified in +limit+. Example: + # such as by "last_name, first_name DESC". A maximum of returned objects and their offset can be specified in + # +limit+ (LIMIT...OFFSET-part). Examples: # Project.find_all "category = 'accounts'", "last_accessed DESC", 15 + # Project.find_all ["category = ?", category_name], "created ASC", ["? OFFSET ?", 15, 20] def find_all(conditions = nil, orderings = nil, limit = nil, joins = nil) sql = "SELECT * FROM #{table_name} " sql << "#{joins} " if joins add_conditions!(sql, conditions) sql << "ORDER BY #{orderings} " unless orderings.nil? - sql << "LIMIT #{limit} " unless limit.nil? + sql << "LIMIT #{sanitize_conditions(limit)} " unless limit.nil? find_by_sql(sql) end - # Works like find_all, but requires a complete SQL string. Example: + # Works like find_all, but requires a complete SQL string. Examples: # Post.find_by_sql "SELECT p.*, c.author FROM posts p, comments c WHERE p.id = c.post_id" + # Post.find_by_sql ["SELECT * FROM posts WHERE author = ? AND created > ?", author_id, start_date] def find_by_sql(sql) + sql = sanitize_conditions(sql) connection.select_all(sql, "#{name} Load").inject([]) { |objects, record| objects << instantiate(record) } end @@ -360,6 +364,7 @@ module ActiveRecord #:nodoc: # Returns the result of an SQL statement that should only include a COUNT(*) in the SELECT part. # Product.count "SELECT COUNT(*) FROM sales s, customers c WHERE s.customer_id = c.id" def count_by_sql(sql) + sql = sanitize_conditions(sql) count = connection.select_one(sql, "#{name} Count").values.first return count ? count.to_i : 0 end @@ -1073,4 +1078,4 @@ module ActiveRecord #:nodoc: string[0..3] == "--- " end end -end
\ No newline at end of file +end |