I’ve been scouring the web for suggested Rails defenses against SQL
injection, but I haven’t found much on the object creation part.
Certainly using attr_protected, etc., is a good way to prevent unwanted
fields from being modified on the new object (if you’re passing a hash
as creation parameters), but what about escaping the POSTed info before
saving? Couldn’t you POST some SQL injector evilness into an ‘allowed’
field and terminate the INSERT and maybe run some DELETES, etc.? Are
people who pass the whole params hash setting themselves up for SQL
Let me know if I’ve got it all wrong. And if there are built-in (or
otherwise easy) ways to deal with all such potential threats, that
would be good to know, too.