Easiest defense against SQL injection in object creation?

I've been scouring the web for suggested Rails defenses against SQL
injection, but I haven't found much on the object creation part.
Certainly using attr_protected, etc., is a good way to prevent unwanted
fields from being modified on the new object (if you're passing a hash
as creation parameters), but what about escaping the POSTed info before
saving? Couldn't you POST some SQL injector evilness into an 'allowed'
field and terminate the INSERT and maybe run some DELETES, etc.? Are
people who pass the whole params hash setting themselves up for SQL
armageddon?

Let me know if I've got it all wrong. And if there are built-in (or
otherwise easy) ways to deal with *all* such potential threats, that
would be good to know, too. :slight_smile:

Thanks,
Mike

Check this link
http://manuals.rubyonrails.com/read/chapter/43

Active Record takes care of most things for you.

Hope this helps,
Cam

cammo wrote:

Check this link
http://manuals.rubyonrails.com/read/chapter/43

Active Record takes care of most things for you.

Hope this helps,
Cam

On Jan 1, 11:27´┐Żam, Mike Laurence <rails-mailing-l...@andreas-s.net>

Ah. I missed the 'attributes are okay' part last time I read through.
:slight_smile: