Rails - May 2006 - ActiveRecord::Base.sanitize_sql and SQL injection vulnerability.

Hi

The PostgreSQL development group released an update[1] for PostgreSQL
to address a SQL injection vulnerability. From the infromation[2]
released with this update, it appears the vulnerability exists in
other (all?) database systems allowing multi-byte encoding of
requests.

Of particular importance - since it relates not to database issues but
to web programming practices - are these quotes from [2], instructing
developers to ''remove any non-standard string escaping mechanisms from
their applications, such as the popular "backslash-escape", or
"\''",
or at least modify them to use the SQL-standard doubling ('''')
to
escape quotes.''

In particular, the vulenrability relates to applications that ''use
ad-hoc methods to "escape" strings going into the database, such as
regexes, or PHP3''s addslashes() and magic_quotes. Since these bypass
database-specific code for safe handling of strings, many such
applications will need to be re-written to become secure.''

Since this is not my field, I''m asking here: how does the above relate
to Rails'' built-in SQL sanitizing feature[3]?  Should applications
using this method be rewritten to address the multi-byte
vulnerability, and if so how?

-- 
-Alder

[1] http://www.postgresql.org/about/news.561
[2] http://www.postgresql.org/docs/techdocs.48
[3] ["name=''%s'' and
group_id=''%s''", "foo''bar", 4] which I
gathered
work through AR::Base.sanitize_sql