thank_you
Reputation: 11107
Sql Injection Prevention and Converting Data in Rails
I noticed in the Ruby on Rails Guide that this is considered correct format
Client.where("orders_count = ?", params[:orders])
whereas later on they used
Client.where(:created_at => (params[:start_date].to_date)..(params[:end_date].to_date))
My question is, is it safe to assume that using the .to_ method will be secure enough against sql injection?
Upvotes: 0
Views: 175
Answers (1)
mbdev
Reputation: 6563
It is not that the to_ method will be secure, but that the format of: where(:column => value) or with the new hash format: where(column: value) is just as secure and more convenient.
Upvotes: 1
Related Questions
- Preventing SQL Injection/Good Ruby method
- How to properly protect SQL injection in rails controller
- SQL Injection in Rails
- What is the best possible way to avoid the sql injection?
- Rails preventing SQL injections
- Protecting against sql injection using activerecord
- Rails: Sql injection concern?
- Rails SQL injection?
- Rails, SQL Injection, and Params
- Protecting against SQL injection in Rails