Search code examples
ruby-on-railssql-injection

Rails SQL injection vulnerability

Does using Model.find(params[:id]) can lead to sql injection vulnerability?

Solution

  • No, it can't. Quote from Guides (http://guides.rubyonrails.org/security.html#sql-injection):

    Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.

    BTW you probably meant Model.find(params[:id]) or Model.find_by(id: params[:id]), Model.find(id: params[:id]) makes no sense.