Hacker News new | ask | show | jobs
by sodapopcan 1651 days ago
DO NOT USE `connection.execute`. It does no kind of escaping. It's fine (and encouraged) to use in migrations but `ActiveRecord::Base.find_by_sql` is what you want for production code. I wish this was made more clear because it's crazy how much I've seen the former in production code.
2 comments
bliteben 1651 days ago
SQL injections on code without an ORM is just a function of how many developers, are working on the project, eventually someone will write something that goes around the escaping.
link
obstacle1 1651 days ago
I mean sure, but if you're already working around the framework's ORM...
link
sodapopcan 1651 days ago
Breaking from the ORM isn’t ideal but if decide you need to in a or two or two that you want to, that isn’t an excuse to write in secure code.
link