Rails SQL injection?

Posted by yuval on Stack Overflow See other posts from Stack Overflow or by yuval
Published on 2010-06-02T23:07:47Z Indexed on 2010/06/02 23:14 UTC
Read the original article Hit count: 174

In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this:

Post.all(:conditions => ['title = ?', params[:title]])

I know that an unsafe way of doing this (possible SQL injection) is this:

Post.all(:conditions => "title = #{params[:title]}")

My question is, does the following method prevent SQL injection or not?

Post.all(:conditions => {:title => params[:title]})

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about sql-injection