module ActiveRecord::Sanitization::ClassMethods

# => "role = '0'"
sanitize_sql_array(["role = ?", 0])

to prevent query manipulation attacks.
For MySQL specifically this means that numeric parameters will be quoted as strings
and will directly use the database adapter's +quote+ method.
Note that this sanitization method is not schema-aware, hence won't do any type casting

# => "name='foo''bar' and group_id='4'"
sanitize_sql_array(["name='%s' and group_id='%s'", "foo'bar", 4])

# => "TO_TIMESTAMP('foo', 'YYYY/MM/DD HH12:MI:SS')"
sanitize_sql_array(["TO_TIMESTAMP(:date, 'YYYY/MM/DD HH12\\:MI\\:SS')", date: "foo"])

# => "name='foo''bar' and group_id=4"
sanitize_sql_array(["name=:name and group_id=:group_id", name: "foo'bar", group_id: 4])

# => "name='foo''bar' and group_id=4"
sanitize_sql_array(["name=? and group_id=?", "foo'bar", 4])

backslash to escape.
variables in SQL statements where a colon is required verbatim use a
sanitized and interpolated into the SQL statement. If using named bind
Accepts an array of conditions. The array has each value

def sanitize_sql_array(ary)
  statement, *values = ary
  if values.first.is_a?(Hash) && /:\w+/.match?(statement)
    with_connection do |c|
      replace_named_bind_variables(c, statement, values.first)
    end
  elsif statement.include?("?")
    with_connection do |c|
      replace_bind_variables(c, statement, values)
    end
  elsif statement.blank?
    statement
  else
    with_connection do |c|
      statement % values.collect { |value| c.quote_string(value.to_s) }
    end
  end
end