From b1737337e6b6218ae966b57e9484ae7d3aaff7e4 Mon Sep 17 00:00:00 2001
From: Aaron Suggs <aaron@ktheory.com>
Date: Fri, 22 Nov 2013 13:46:51 -0500
Subject: Support SQL sanitization in AR::QueryMethods#order

Add support for sanitizing arrays in SQL ORDER clauses.

This is useful when using MySQL `ORDER BY FIELD()` to return records in
a predetermined way.

```ruby
  Tag.order(['field(id, ?', [1,3,2]].to_sql
  # => SELECT "tags".* FROM "tags"   ORDER BY field(id, 1,3,2)
```

Prior to this, developers must be careful to sanitize `#order` arguments
themselves.
---
 activerecord/lib/active_record/relation/query_methods.rb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'activerecord/lib')

diff --git a/activerecord/lib/active_record/relation/query_methods.rb b/activerecord/lib/active_record/relation/query_methods.rb
index 473762011b..b676b231ec 100644
--- a/activerecord/lib/active_record/relation/query_methods.rb
+++ b/activerecord/lib/active_record/relation/query_methods.rb
@@ -1029,6 +1029,13 @@ module ActiveRecord
     end
 
     def preprocess_order_args(order_args)
+      order_args.map! do |arg|
+        if arg.is_a?(Array) && arg.first.to_s.include?('?')
+          klass.send(:sanitize_sql, arg)
+        else
+          arg
+        end
+      end
       order_args.flatten!
       validate_order_args(order_args)
 
-- 
cgit v1.2.3