Injection attacks are #1 at the OWASP Top10.
- Don’t use standard Ruby interpolation (
#{foo}
) to insert user inputted strings into ActiveRecord or raw SQL queries. Use the?
character, named bind variables or the ActiveRecord::Sanitization methods to sanitize user input used in DB queries. Mitigates SQL injection attacks. - Don't pass user inputted strings to methods capable of evaluating