In my Controllers I'm using many find_by_sql() stuff, and to avoid SQL injection I'm building my SQL statements as hashes as follows
Beneficiary.find_by_sql(["SELECT * FROM beneficiaries WHERE project_id=? AND cso_id IN(SELECT user_id FROM user_projects INNER JOIN users ON user_projects.user_id=users.id)",params[:id]])
Is it enough to avoid SQL injection? or need more?
