开发者

Rails SQL injection?

In Rails, when I want to find by a user given value开发者_开发知识库 and avoid SQL injection (escape apostrophes and the like) I can do something like this:

Post.all(:conditions => ['title = ?', params[:title]])

I know that an unsafe way of doing this (possible SQL injection) is this:

Post.all(:conditions => "title = #{params[:title]}")

My question is, does the following method prevent SQL injection or not?

Post.all(:conditions => {:title => params[:title]})


Yes, it does. Only the second one is dangerous.


One good reference from the RoR Guides.


+1 @fphilipe and @yuval Check this 5 min video from railscast and this one from rails guide

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜