XSS and SQL Injection attacks

I have been notified by my boss that a large company that is using my app is going to start and try to hack it for vulnerablilities and while I feel that I have things pretty well secure I just wanted to inquire about, first, what is meant when rails says the SQL statements are 'sanatized' when you use find(:all, :conditions => ['.....']), and secondely, can any one point me to some good online references that deal with XSS and SQL injection attacks. Thanks,

-S

I have been notified by my boss that a large company that is using my app is going to start and try to hack it for vulnerablilities and
while I feel that I have things pretty well secure I just wanted to inquire about, first, what is meant when rails says the SQL statements are 'sanatized' when you use find(:all, :conditions => ['.....']), and secondely, can any one point

sanitized means that the parameters you plug in are escaped so that
(for example)

find :all, :conditions => ["name=?", "bob'; delete * from users"] is
harmlessly escaped.

You should be safe from sql injection as long as you use :conditions
like this (or the has form of conditions)

If you do this find :all, :conditions => "name='#{params[:name]}'" then you're in trouble.

Fred