snow_leopard snow_leopard - 7 months ago 23
Ruby Question

is find_by_id sql injection safe in rails?

I have following code in my rails controller:


here params[id] is a user input

Do I need to sanitize this parameter to make the above call safe from SQL injection ?


Yes, this method is ActiveRecord::FinderMethods and it safe.

small example:

User.find_by_id("' OR 1 --")
  User Load (0.3ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT 1  [["id", 0]]

=> nil