0

The project that I am working on uses rails 4.0.2 and postgress 9.4.7 I am new to rails and I wonder if rails active record creates prepend statement

When I run this line:

 User.where(id:123)

The log says:

 SELECT "users".* FROM "users" WHERE "users"."id" = 123

But when I run this line:

When I run this line:

 User.find(123)

The log says:

 SELECT "users".* FROM "users" WHERE "users"."id" = $1 LIMIT 1  [["id", 123]]

Why is the difference? Which is more secure? I think that that first version using where() is only escaping the data and the second version using find() uses prepend statement is that correct? Is it possible to use where but to create a query like the second version?

2 useful links

What is the purpose of ActiveRecord::Relation#bind?

http://apidock.com/rails/v4.0.2/ActiveRecord/FinderMethods/find_one

Community
  • 1
  • 1
Natan Rubinstein
  • 665
  • 1
  • 9
  • 27
  • 1
    Well both are secure to avoid *SQL injection*. The last one, I mean the `find` version, you are passing only the data. So it can be harmful from the point of view of SQL injection. And that is why it is being taken care of, which you see from the SQl generated. – Arup Rakshit Jul 20 '16 at 13:31
  • But the `where` version, you are passing `key/value` kind of data, so SQl injection is not possible here also. You can check the source code of both the implementation. – Arup Rakshit Jul 20 '16 at 13:33
  • The only difference is `User.find(123)` can't be chained, whereas `.where(..)` version can be. – Arup Rakshit Jul 20 '16 at 13:34

0 Answers0