Many of the connection query methods that come with ActiveRecord accept an
optional binds parameter. This can be used to safely inject parameters into
the query.
Here's a SQL query we could use with one of these methods:
sql = <<-SQL
select
coalesce(places.latitude, 41.8781) latitude,
coalesce(places.longitude, -87.6298) longitude
from places
join appointments
on places.id = apointments.places_id
where appointments.id = $1
and status = $2
SQLNotice the $1 and $2, those are what will be bound to the two parameters
included as binds.
connection = ActiveRecord::Base.connection
binds = [[nil, appt_id], [nil, input_status]]
coords = connection.select_one(sql, nil, binds)
coords
#=> { "latitude": 41.8781, "longitude": -87.6298 }Notice the binds is an array of tuples. It's the second value in each tuple
that gets bound the corresponding binding indicator in the sql. The syntax is a
bit awkward since it is a lower-level API, however once you know it, you can
manage.