|
|
|
|
|
|
by nieve
2401 days ago
|
|
|
I'm somewhat confused why the author didn't use bind variables since as far as I know the standard PostgreSQL adapters fully support them. Even if you trust that quote_string() will never have a vulnerability it's safer to not use string interpolation at all and it doesn't cost you anything. |
|
|
This is a problem with `order` in Active Record in particular, where you can't pass in a bind variable the same way you'd expect it to work with `where`.
Therefore the slightly less elegant version that goes through quote_string. You could use bind variables by going directly to the pg driver, but I think there is no quick shorthand to do this in Active Record/Arel.