Ruby On Rails, SQL and SQL parameters

I have complex SQL query. I need safely to pass parameters to SQL query. How can I avoid sql injections without using activerecord? Where开发者_如何学Python should I keep SQL models/controllers? Does anyone know good practice to work with SQL server without activerecord?

When you bypass ActiveRecord you pretty much have to do everything manually. I assume you have good reasons for doing so.

ActiveRecord::Base has the following methods: sanitize_sql_for_assignments (for set) and sanitize_sql_for_conditions (for select). There are a few other sanitize_sql_* that are probably worth looking at too. Both accept a hash (uses the keys as column names) or a string.

I could be mistaken, but to fetch records and skip ActiveRecord, I think you use ActiveRecord::Base.connection.execute(sql) which should return objects from your database connector. Checks the docs for the connector to see what is returned and how to work with it.

As for best practices, sorry, I can't help you there :-)

ActiveRecord has sanitize_sql functions for this. You can check the source code of this methods.