In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this:
Post.all(:conditions => ['title = ?', params[:title]])
I know that an unsafe way of doing this (possible SQL injection) is this:
Post.all(:conditions => "title = #{params[:title]}")
My question is, does the following method prevent SQL injection or not?
Post.all(:conditions => {:title => params[:title]})
Yes, it does. Only the second one is dangerous.
edthix
One good reference from the RoR Guides.
+1 @fphilipe and @yuval Check this 5 min video from railscast and this one from rails guide
来源:https://stackoverflow.com/questions/2962263/rails-sql-injection