Rails SQL injection?

Question

In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this:

Post.all(:conditions => ['title = ?', params[:title]])

I know that an unsafe way of doing this (possible SQL injection) is this:

Post.all(:conditions => "title = #{params[:title]}")

My question is, does the following method prevent SQL injection or not?

Post.all(:conditions => {:title => params[:title]})

fphilipe · Accepted Answer · 2010-06-02 23:10:12Z

39

Yes, it does. Only the second one is dangerous.

answered Jun 2, 2010 at 23:10

fphilipe

10.1k1 gold badge42 silver badges55 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for your direct response.

Ja͢ck · Accepted Answer · 2013-02-25 07:01:30Z

8

One good reference from the RoR Guides.

Ja͢ck

174k39 gold badges269 silver badges317 bronze badges

answered Jun 2, 2010 at 23:13

edthix

1,75216 silver badges18 bronze badges

Mohit Jain · Accepted Answer · 2010-06-02 23:12:49Z

5

+1 @fphilipe and @yuval Check this 5 min video from railscast and this one from rails guide

answered Jun 2, 2010 at 23:12

Mohit Jain

44.1k58 gold badges174 silver badges276 bronze badges

Thanks, I've seen this already but it doesn't cover my question (pertaining to the last find)