For performance reasons, I need to write a new method in my Rails model that executes some arbitrary SQL:
UPDATE table
SET col1 = ? AND col2 = ?
WHERE id = ?
I understand I can use ActiveRecord::Base.connection.execute or ActiveRecord::Base.connection.update with a string of SQL to get the results I need, but what is the proper procedure for substituting the parameter placeholders (?) with the actual parameter values? Is there a Rails method for interpolating parameters into a SQL statement, or should it just be done by manual interpolation? The latter seems unsafe...
You could also do this:
updates = ActiveRecord::Base.send(:sanitize_sql_array, ["name = ? and category = ?", name, category])
ActiveRecord::Base.connection.execute("update table set #{updates} where id = #{id.to_s.to_i}")
to_s is being called on id before to_i in case it's nil.
来源:https://stackoverflow.com/questions/4556672/how-to-execute-arbitrary-parameterized-sql-in-rails