rails named scopes and sql injection

HI guys,

I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks:

scope :with_name, lambda { |name| where(“LOWER(name) LIKE ?”, name.downcase) }

I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation to SQL, but does anybody know exactly what happens behind the curtains?

all the best,


Everything that’s inserted into placeholders (the ? above) is escaped - so characters like ’ will not break the SQL quoting and allow mischief. Modern Rails versions will even use prepared statements to do this, if your DB adapter supports them.

Your colleague may have been thinking of the (similar but NOT SECURE) form:

scope :with_name_plus_HAX, lambda { |name| where(“LOWER(name) LIKE ‘#{name}’”) }

Here the variable is manually interpolated, and will NOT get any escaping. DON’T DO THIS. :slight_smile:

–Matt Jones

AFAIK, using the array syntax, or the syntax you used in the where IS NOT vulnerable to injection attacks. This matches up with my experience.

You can try this out yourself to verify.


I just dont have the time right now to try this. just wanted to see if there was any documentation the subject because I couldnt find anything that would tell me otherwise. but thanks for your help guys :slight_smile:

It’d take less time that replying to this email.

You should always teach yourself with micro-experiments where possible IMHO.