Prevent SQL Injections by using the ? in queries

11

Dislike

Twols Posted by Twols on September 17, 2010

Use the Question Mark to set the params of the query to prevent SQL Injections.

Unsafe

Product.where("alias = '#{params[:alias]}'")

Safe

Product.where("alias = ?", params[:alias])

ActiveRecord will sanitize the given params.

sql injection query
related best practices:

Comments

juancolacelli Posted by juancolacelli on 2011-08-13T08:01:13Z

It isn't a best practice, it is a required practice.

This example can be written like "Product.where(:alias => params[:alias])" too.
Post a comment

  1. Note: if you are a registered user, you can log in without input username.

    2. You may use ONLY these HTML tags to format your comment:

    <a href="" title=""> <b> <blockquote> <pre> <code> <em> <i> <strong>

    Use <pre><code>...</code></pre> for multi-line codes.

    Do not use <p> tags. Just use newlines.

Fork me on GitHub