Madalina
Reputation: 457
SQL Injection in Rails
I read something about SQL Injection in Rails, but things are pretty unclear for me. For example, I didn't understand if code like the one listed below is safe from SQL Injection or not.
User.where("first_name like ? ", "%#{params[:q]}%")
If not, what's the alternative?
Upvotes: 1
Views: 124
Answers (1)
Matt Gibson
Reputation: 14949
Yes, this is safe. ActiveRecord will use a prepared statement after sanitising your parameters to prevent SQL injection.
The Rails guides give more information: http://guides.rubyonrails.org/security.html#sql-injection
Upvotes: 1
Related Questions
- Ruby on Rails SQL Injection - Building a query
- SQL Injection and ActiveRecord
- Rails SQL injection vulnerability
- Rails: Still confused about SQL Injection
- SQL injection in Rails in Where Clause
- SQL injections in Rails 4 issue
- Rails - escaping SQL params
- Rails: Sql injection concern?
- Rails SQL injection?
- SQL injection on Activerecord query