Rails SQL 注入?

问题描述：

在 Rails 中，当我想根据用户给定的值查找并避免 SQL 注入(转义撇号等)时，我可以执行以下操作:

In Rails, when I want to find by a user given value and avoid SQL injection (escape apostrophes and the like) I can do something like this:

Post.all(:conditions => ['title = ?', params[:title]])

我知道这样做的不安全方法(可能是 SQL 注入)是这样的:

I know that an unsafe way of doing this (possible SQL injection) is this:

Post.all(:conditions => "title = #{params[:title]}")

我的问题是，以下方法是否可以防止 SQL 注入?

My question is, does the following method prevent SQL injection or not?

Post.all(:conditions => {:title => params[:title]})

答

是的，确实如此.只有第二个是危险的.

Yes, it does. Only the second one is dangerous.