1 files changed, 13 insertions, 10 deletions

diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb
index 1aa93ffbb3..f5aa60a69a 100644
--- a/activerecord/lib/active_record/sanitization.rb
+++ b/activerecord/lib/active_record/sanitization.rb
@@ -87,11 +87,15 @@ module ActiveRecord
       #   { address: Address.new("123 abc st.", "chicago") }
       #     # => "address_street='123 abc st.' and address_city='chicago'"
       def sanitize_sql_hash_for_conditions(attrs, default_table_name = self.table_name)
-        attrs = PredicateBuilder.resolve_column_aliases self, attrs
+        table = Arel::Table.new(table_name).alias(default_table_name)
+        predicate_builder = PredicateBuilder.new(TableMetadata.new(self, table))
+        ActiveSupport::Deprecation.warn(<<-EOWARN)
+sanitize_sql_hash_for_conditions is deprecated, and will be removed in Rails 5.0
+        EOWARN
+        attrs = predicate_builder.resolve_column_aliases(attrs)
         attrs = expand_hash_conditions_for_aggregates(attrs)
 
-        table = Arel::Table.new(table_name, arel_engine).alias(default_table_name)
-        PredicateBuilder.build_from_hash(self, attrs, table).map { |b|
+        predicate_builder.build_from_hash(attrs).map { |b|
           connection.visitor.compile b
         }.join(' AND ')
       end
@@ -103,11 +107,12 @@ module ActiveRecord
       def sanitize_sql_hash_for_assignment(attrs, table)
         c = connection
         attrs.map do |attr, value|
-          "#{c.quote_table_name_for_assignment(table, attr)} = #{quote_bound_value(value, c, columns_hash[attr.to_s])}"
+          value = type_for_attribute(attr.to_s).type_cast_for_database(value)
+          "#{c.quote_table_name_for_assignment(table, attr)} = #{c.quote(value)}"
         end.join(', ')
       end
 
-      # Sanitizes a +string+ so that it is safe to use within a sql
+      # Sanitizes a +string+ so that it is safe to use within an SQL
       # LIKE statement. This method uses +escape_character+ to escape all occurrences of "\", "_" and "%"
       def sanitize_sql_like(string, escape_character = "\\")
         pattern = Regexp.union(escape_character, "%", "_")
@@ -134,7 +139,7 @@ module ActiveRecord
         raise_if_bind_arity_mismatch(statement, statement.count('?'), values.size)
         bound = values.dup
         c = connection
-        statement.gsub('?') do
+        statement.gsub(/\?/) do
           replace_bind_variable(bound.shift, c)
         end
       end
@@ -159,10 +164,8 @@ module ActiveRecord
         end
       end
 
-      def quote_bound_value(value, c = connection, column = nil) #:nodoc:
-        if column
-          c.quote(value, column)
-        elsif value.respond_to?(:map) && !value.acts_like?(:string)
+      def quote_bound_value(value, c = connection) #:nodoc:
+        if value.respond_to?(:map) && !value.acts_like?(:string)
           if value.respond_to?(:empty?) && value.empty?
             c.quote(nil)
           else