Preventing SQL Injection attacks in Ruby ActiveRecord

ActiveRecord is prone to SQL Injection attacks and as such should be properly coded in order to prevent these attempts from succeeding. Ruby recommends you to use question mark when passing variables to the SQL database processing routine.

my_record = [“name = ?”, name]

You can also resort to named variable, which is also used to prevent SQL injection attacks in ActiveRecord.

my_record = [“name = :name”, {:name => name}]

Writing proper ActiveRecord code will stop anyone from penetrating your database with statement like “or 1=1” if then try to append it to the end of your SQL string.

Recent Posts

Browse Archives

Featured pages

Ruby

Set of Ruby Object Oriented Programming Language tutorials that cover such topics as Ruby strings, …

Rails

Rails Framework tutorial teaches you how to utilize de facto framework of choice for Ruby developme…

Ruby Duck Typing

“If an object quacks like a duck just go ahead and treat it as a duck” – this fun…

Regular Expressions

Ruby uses the =~ operator to check any given string against regular expression. For example, a stri…

Credit Card Number

Every last digit of any credit card is a check sum digit that is determined by all digits in front …

Ruby Arrays

Ruby Programming Language has built in support for Arrays. Arrays help you define some of the compl…

Ruby Hashes

Hashes are very similar to arrays in Ruby and hashes interface is similar to Ruby array interface. …

Ruby Code Block

Ruby is very unique language when it comes to code blocks. You can simply pass a code block to a me…