[obstacle1]

ActiveRecord (Rails ORM) provides an interface for raw SQL queries if that's really what you want to do (`connection.execute`). You can use it whenever you want. You can also swap out ActiveRecord for something else like DataMapper (or whatever) if you really want.

But, the whole point of using a framework like Rails is to let the framework make certain decisions for you, so you can develop quickly according to convention, and not think of lower-level technical decisions. Bypassing the ORM certainly works against that.

[sodapopcan]

DO NOT USE `connection.execute`. It does no kind of escaping. It's fine (and encouraged) to use in migrations but `ActiveRecord::Base.find_by_sql` is what you want for production code. I wish this was made more clear because it's crazy how much I've seen the former in production code.

[bliteben]

SQL injections on code without an ORM is just a function of how many developers, are working on the project, eventually someone will write something that goes around the escaping.

[obstacle1]

I mean sure, but if you're already working around the framework's ORM...

[sodapopcan]

Breaking from the ORM isn’t ideal but if decide you need to in a or two or two that you want to, that isn’t an excuse to write in secure code.