do I need to do mysql_escape_string and how?

paul wrote:

In my rails apps do I need to do mysql_escape and if so what functions
are around to be able to do this?

Let Rails take care of all such mundane things for you. Either assign your string, as string data, to a member of an ActiveRecord-derived object, or use your string in a find() using a parameter substitution system, like :conditions => ['foo = ?', my_foo].

I suspect Rails will either correctly escape things, or will use the underlying Database's parameterized query system.

All you need to do is remember never to put a tainted string directly into a fragment of an SQL statement. Never say, for example, :conditions => "foo = '#{my_foo}'", because now you are vulnerable to SQL-insertion attacks. Rails cannot help a string with #{} in it, because that expands at Ruby time before Rails sees the string.

paul wrote:

yeah that is the problem, I am generating the conditions statment in a
string, which could be a security problem, I was wondering if there is a
way to manually escape these fields whilst creating the conditions
string?

:conditions => [" foo = ?", bar]

Always use at least the ? notation, This matches the raw database
technique of parameterized queries. It escapes.