XSS and SQL Injection attacks

I have been notified by my boss that a large company that is using my
app is going to start and try to hack it for vulnerablilities and while
I feel that I have things pretty well secure I just wanted to inquire
about, first, what is meant when rails says the SQL statements are
'sanatized' when you use
find(:all, :conditions => ['.....']), and secondely, can any one point
me to some good online references that deal with XSS and SQL injection
attacks. Thanks,

-S

I have been notified by my boss that a large company that is using my
app is going to start and try to hack it for vulnerablilities and
while
I feel that I have things pretty well secure I just wanted to inquire
about, first, what is meant when rails says the SQL statements are
'sanatized' when you use
find(:all, :conditions => ['.....']), and secondely, can any one point

sanitized means that the parameters you plug in are escaped so that
(for example)

find :all, :conditions => ["name=?", "bob'; delete * from users"] is
harmlessly escaped.

You should be safe from sql injection as long as you use :conditions
like this (or the has form of conditions)

If you do this
find :all, :conditions => "name='#{params[:name]}'"
then you're in trouble.

Fred