snow_leopard snow_leopard - 5 months ago 7
Ruby Question

is find_by_id sql injection safe in rails?

I have following code in my rails controller:

State.find_by_id(params[id])


here params[id] is a user input

Do I need to sanitize this parameter to make the above call safe from SQL injection ?

Answer

Yes, this method is ActiveRecord::FinderMethods and it safe.

small example:

User.find_by_id("' OR 1 --")
  User Load (0.3ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT 1  [["id", 0]]

=> nil