Module: SafeSqlExecutor

Defined in:

lib/safe_sql_executor.rb

Class Method Summary

• .execute_select(query) ⇒ Object
• .validate_select_query(query) ⇒ Object

Class Method Details

.execute_select(query) ⇒ Object

# File 'lib/safe_sql_executor.rb', line 2

def self.execute_select(query)
  # Validate the query
  validate_select_query(query)

  # Execute the query
  ActiveRecord::Base.connection.execute(query)
end

.validate_select_query(query) ⇒ Object

# File 'lib/safe_sql_executor.rb', line 12

def self.validate_select_query(query)
  sanitized_query = query.strip.gsub(/\s+/, " ").upcase

  # Allow SELECT or WITH...SELECT queries
  unless sanitized_query.match?(/^(WITH .+)?SELECT /)
    raise ArgumentError, "Only SELECT queries (including with CTEs) are allowed"
  end
end