rails is Model.new safe from sql injection?

Does ModelName.new protect against sql injection?

Examp开发者_JS百科le:

@user = User.new(params[:user])

@user.save

I've read the rails security docs and didn't see anything about inserts via Model.new.

Thanks!

Model.new has nothing to do with SQL injection as it is not the method that writes to the database .
It is the Model.save that actually writes to the database and takes care of SQL injection .

yes it protect against sql injection and is safe as params[:user] is HASH

you can check it with follwing example i assumr you get some invalid values in params[:user][:name]

  @user= User.new(params[:user])

  @user.save

AND

  @user= User.new()
  @user.name=params[:user][:name]  #your application may crash here or this is not sql injection safe
  @user.save

To avoid this you can use hash

  @user= User.new({:name=>params[:user][:name]})
  @user.save

After reading this i came to conlcusion neither .new & .save are safe from sql injection

Edited 

The mass-assignment feature may become a problem, as it allows an attacker to set any model’s attributes by manipulating the hash passed to a model’s new() method:

PLEASE READ 6 Mass Assignment for it's Problems and 6.1 Countermeasures for solution