Module: Immunio::SanitizeHooks
- Extended by:
- ActiveSupport::Concern
- Defined in:
- lib/immunio/plugins/active_record.rb
Overview
There is one place where a statement may be quoted without going through the quote method. This occurs when a where statement is given an array, like:
Users.where([“email LIKE %s”, “[email protected]”])
The first value is a sprintf format string and the rest are values interpolated into it. This triggers a call into sanitize_sql_array, which will pass the values through quote_string, but only if the first value is not a Hash and the statement does not include ‘?’ placeholders. Otherwise, different interpolation and quoting mechanisms are used.
The above has been verified to be the case from Rails 3.0 to 4.2.