What is the best possible way to avoid the sql injection?
问题 I am using ruby 1.8.7 and rails 2.3.2 The following code is prone to sql injection params[:id] = "1) OR 1=1--" User.delete_all("id = #{params[:id]}") My question is by doing the following will be the best solution to avoid sql injection or not. If not then what is the best way to do so? User.delete_all("id = #{params[:id].to_i}") 回答1: What about: User.where(id: params[:id]).delete_all Ok sorry for Rails 2.x its: User.delete_all(["id = ?", params[:id]]) Check doc Btw, be sure you want to use