Does using Model.find(params[:id])
can lead to sql injection vulnerability?
No, it can't. Quote from Guides (http://guides.rubyonrails.org/security.html#sql-injection):
Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure.
BTW you probably meant Model.find(params[:id])
or Model.find_by(id: params[:id])
, Model.find(id: params[:id])
makes no sense.