Rails SQL injection?

ruby-on-rails security sql-injection
Yuval Karmi picture Yuval Karmi · Jun 3, 2010 · Viewed 13.3k times · Source

In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this:

Post.all(:conditions => ['title = ?', params[:title]])

I know that an unsafe way of doing this (possible SQL injection) is this:

Post.all(:conditions => "title = #{params[:title]}")

My question is, does the following method prevent SQL injection or not?

Post.all(:conditions => {:title => params[:title]})

Answer

fphilipe picture fphilipe · Jun 3, 2010

Yes, it does. Only the second one is dangerous.

Related questions

Is it secure to store passwords as environment variables (rather than as plain text) in config files?

I work on a few apps in rails, django (and a little bit of php), and one of the things that I started doing in some of them is storing database and other passwords as environment variables rather than plain …

Read More
How to use secrets.yml for API_KEYS in Rails 4.1?

In one of my recent projects I started out by .gitignoring the files containing secrets and environment variables. So the entire project is committed to the repo except the files that contain third party secrets such as that of Stripe, …

Read More
Is this Rails JSON authentication API (using Devise) secure?

My Rails app uses Devise for authentication. It has a sister iOS app, and users can log in to the iOS app using the same credentials that they use for the web app. So I need some kind of API …

Read More