Yuval Karmi
Reputation: 26723
Rails SQL injection?
In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this:
Post.all(:conditions => ['title = ?', params[:title]])
I know that an unsafe way of doing this (possible SQL injection) is this:
Post.all(:conditions => "title = #{params[:title]}")
My question is, does the following method prevent SQL injection or not?
Post.all(:conditions => {:title => params[:title]})
Upvotes: 33
Views: 13613
Answers (3)
Mohit Jain
Reputation: 43959
+1 @fphilipe and @yuval Check this 5 min video from railscast and this one from rails guide
Upvotes: 5
Related Questions
- Rails SQL injection vulnerability
- Rails 5 SQL Injection
- SQL Injection in Rails
- Rails preventing SQL injections
- Protecting against sql injection using activerecord
- Rails: Sql injection concern?
- Rails, SQL Injection, and Params
- Sql Injection Prevention and Converting Data in Rails
- Rails sql injection in custom "where" clause
- Protecting against SQL injection in Rails