Really, Really, Really Don’t Interpolate Strings into Active Record Methods - Andy Croll
Protecting your application against malicious users is one of your key responsibilites as a developer. The built-in security provided by a well-maintained framework, such as Rails, is an excellent reason to use one.This is particularly true of the protection afforded within Active Record for sanitizing user input before it is written to your database. However there are ways to pass strings directly to Active Record scopes when you need to, but that power should be used very sparingly and carefully.
Really, Really, Really Don’t Interpolate Strings into Active Record Methods - Andy Croll #ruby #rubydeveloper #rubyonrails #active #record