I am trying to sanitize the parameters pass to ST_Centroid but I am getting a syntax error.
"SELECT ST_AsText(ST_Centroid(MULTIPOINT ( 0 0, 0 0, 0 0, 0 0 ))) as centroid"
sql = ActiveRecord::Base::sanitize_sql_array(['SELECT ST_AsText(ST_Centroid(MULTIPOINT ( ? ?, ? ?, ? ?, ? ? ))) as centroid', min_longitude, min_latitude, min_longitude, max_latitude, max_longitude, min_latitude, max_longitude, max_latitude])
ActiveRecord::Base.connection.execute(sql)&.to_a&.first["centroid"] || ""
Syntax Error
from /home/aniket/.rvm/gems/ruby-2.6.5@project/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/postgresql/database_statements.rb:92:in `exec'
Caused by PG::SyntaxError: ERROR: syntax error at or near "0"
LINE 1: SELECT ST_AsText(ST_Centroid(MULTIPOINT ( 0 0, 0 0, 0 0, 0 0..
It is working fine If I am not sanitizing it
sql = "SELECT ST_AsText(ST_Centroid('MULTIPOINT ( #{min_longitude} #{min_latitude}, #{min_longitude} #{max_latitude}, #{max_longitude} #{min_latitude}, #{max_longitude} #{max_latitude} )')) as centroid";
ActiveRecord::Base.connection.execute(sql)&.to_a&.first["centroid"]
(0.7ms) SELECT ST_AsText(ST_Centroid('MULTIPOINT ( 0 0, 0 0, 0 0, 0 0 )')) as centroid
=> "POINT(0 0)"
According to document MULTIPOINT should be quote by ', and i see that you miss that when sanitize_sql_array, so try this
sql = ActiveRecord::Base::sanitize_sql_array([
"SELECT ST_AsText(ST_Centroid('MULTIPOINT ( ? ?, ? ?, ? ?, ? ? )')) as centroid",
min_longitude, min_latitude, min_longitude,
max_latitude, max_longitude, min_latitude,
max_longitude, max_latitude
])