Posted almost 6 years ago. Visible to the public. Repeats.

Do not pass an empty array to ActiveRecord.where when using NOT IN

Be careful with the Active Record where method. When you accidentally pass an empty array to the where method using NOT IN, you probably will not get what you expected:

User.where("id NOT IN (?)", []) => SELECT `users`.* FROM `users` WHERE (id NOT IN (NULL))

Even though you might expect this to return all records, this actually results none.

Never use the expression id NOT IN (?) in any scope! See below some workarounds.

Rails < 4

Rails < 4 does not provide a pretty workaround.

ids = [] if ids.present? User.where("id NOT IN (?)", ids) else User.all end

Rails >= 4

If you use the same expression as above in Rails >= 4, it is still broken. But you can use the .not method to work around this issue.

User.where.not(id: []).to_sql => SELECT "users".* FROM "users" WHERE (1=1) User.where.not(id: [1]).to_sql => SELECT "users".* FROM "users" WHERE ("users"."id" != 1)

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for old versions of Ruby on Rails (3.2 and 2.3).

Owner of this card:

Andreas Robecke
Last edit:
4 months ago
by Emanuel De
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Andreas Robecke to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more