Reputation: 131
Rails6 how to do `XXX.update_all` with mysql function
I would like to use update_all in order to update all records in a database.
Let me assume that the name of the attribute to be update is price.
I succeeded command A.
A
MyModel.update_all(price: "$500")
However, I would like to mysql function(e.g. IF, CONCAT, arithmetic...) in updating.
so I tried command B, but failed and the string value CONCAT('$', 500) was stored.
B
MyModel.update_all(price: "CONCAT('$', 500)")
I succeeded when I tried C, but I don't want use it because of the SQL injection risks.
C
MyModel.update_all("price = CONCAT('$', 500)")
How can I do that without any risk of SQL injection attacks?
Here, I have to use sql function here for some reasons.
Thank you in advance.
Upvotes: 0
Views: 245
Answers (1)
Reputation: 394
You need to create methods corresponding to allowable sql functions that take the params as input. So if you want to provide "CONCAT(..,...)" then user should be able to call a method like this. You can extent it to check type of arguments are allowed and add checks there as well.
def allowed_functions(func_name, all_args_here)
case func_name
when 'concat' then "CONCAT(#{all_args_here})"
end
end
Upvotes: 1
Related Questions
- Rails - update directly in SQL
- How to pass a variable parameter value using the update_all() method in Rails?
- update_all not updating my database
- Update All Records in Rails Database
- Update ActiveRecord attribute with SQL function
- update_all with a method
- Rails 4 update_all and set value from another field
- update several records using update_all
- update_all with string concatenate
- Question about update_all in Ruby