Displaying 1 result from an estimated 1 matches for "with_nam".
Did you mean:
with_pam
2013 Apr 12
4
rails named scopes and sql injection
HI guys,
I just came through an example on code of the place I work for that said
something like this could be vulnerable to sql injection attacks:
scope :with_name, lambda { |name| where("LOWER(name) LIKE ?",
name.downcase) }
I wonder if this is true. My thought is that rails should escape this and
that anything that tried to do something different would fail on the
translation to SQL, but does anybody know exactly what happens behind the
curt...