Fork me on GitHub

Prevent SQL Injections by using the ? in queries

17 Sep 2010

(info@leolezner.de)

Use the Question Mark to set the params of the query to prevent SQL Injections.

Unsafe

Product.where("alias = '#{params[:alias]}'")

Safe

Product.where("alias = ?", params[:alias])

ActiveRecord will sanitize the given params.

Tags