validating text in Rails.

Hi Sam -

h() is there to protect you from cross-site scripting attacks.

SQL injection attacks are a different beast. Luckily, ActiveRecord will
take care of those for you, as long as you use it correctly. This boils
down to never manually inserting user-entered content into an sql
query.

For more detail: http://manuals.rubyonrails.com/read/book/8

Cheers,
Starr