I ran on issue.
I have users created with User.create(params[:form])
and this is secure, in terms of SQL injection. And how I should find user by email using find with :conditions
?
Create method does not escape @ sign, but :conditions => ["email = ?", params[:email]])
does escape, so user@domain (inserted to DB by create
method) is something different than user%40domain (queried by find
with :conditions
).
I wonder how properly create :conditions
statement. Of course User.find_by_email
is secure (escapes ‘) and finds users by email since it does not escape @, but how to create more complicated queries with :conditions
and be SQL injection safe?
I’m going to sleep, maybe tomorrow I find out right solution.
Leave a Reply