1 files changed, 29 insertions, 3 deletions

diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb
index 7f6664ea50..4e89ba4dd1 100644
--- a/activerecord/lib/active_record/sanitization.rb
+++ b/activerecord/lib/active_record/sanitization.rb
@@ -3,7 +3,8 @@ module ActiveRecord
     extend ActiveSupport::Concern
 
     module ClassMethods
-      # Used to sanitize objects before they're used in an SQL SELECT statement. Delegates to <tt>connection.quote</tt>.
+      # Used to sanitize objects before they're used in an SQL SELECT statement.
+      # Delegates to {connection.quote}[rdoc-ref:ConnectionAdapters::Quoting#quote].
       def sanitize(object) # :nodoc:
         connection.quote(object)
       end
@@ -17,6 +18,9 @@ module ActiveRecord
       #   sanitize_sql_for_conditions(["name=? and group_id=?", "foo'bar", 4])
       #   # => "name='foo''bar' and group_id=4"
       #
+      #   sanitize_sql_for_conditions(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])
+      #   # => "name='foo''bar' and group_id='4'"
+      #
       #   sanitize_sql_for_conditions(["name='%s' and group_id='%s'", "foo'bar", 4])
       #   # => "name='foo''bar' and group_id='4'"
       #
@@ -39,6 +43,9 @@ module ActiveRecord
       #   sanitize_sql_for_assignment(["name=? and group_id=?", nil, 4])
       #   # => "name=NULL and group_id=4"
       #
+      #   sanitize_sql_for_assignment(["name=:name and group_id=:group_id", name: nil, group_id: 4])
+      #   # => "name=NULL and group_id=4"
+      #
       #   Post.send(:sanitize_sql_for_assignment, { name: nil, group_id: 4 })
       #   # => "`posts`.`name` = NULL, `posts`.`group_id` = 4"
       #
@@ -52,9 +59,25 @@ module ActiveRecord
         end
       end
 
+      # Accepts an array, or string of SQL conditions and sanitizes
+      # them into a valid SQL fragment for a ORDER clause.
+      #
+      #   sanitize_sql_for_order(["field(id, ?)", [1,3,2]])
+      #   # => "field(id, 1,3,2)"
+      #
+      #   sanitize_sql_for_order("id ASC")
+      #   # => "id ASC"
+      def sanitize_sql_for_order(condition)
+        if condition.is_a?(Array) && condition.first.to_s.include?('?')
+          sanitize_sql_array(condition)
+        else
+          condition
+        end
+      end
+
       # Accepts a hash of SQL conditions and replaces those attributes
-      # that correspond to a +composed_of+ relationship with their expanded
-      # aggregate attribute values.
+      # that correspond to a {#composed_of}[rdoc-ref:Aggregations::ClassMethods#composed_of]
+      # relationship with their expanded aggregate attribute values.
       #
       # Given:
       #
@@ -123,6 +146,9 @@ module ActiveRecord
       #   sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4])
       #   # => "name='foo''bar' and group_id=4"
       #
+      #   sanitize_sql_array(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])
+      #   # => "name='foo''bar' and group_id=4"
+      #
       #   sanitize_sql_array(["name='%s' and group_id='%s'", "foo'bar", 4])
       #   # => "name='foo''bar' and group_id='4'"
       def sanitize_sql_array(ary)