diff options
author | Jaime Iniesta <jaimeiniesta@gmail.com> | 2010-07-09 17:53:47 +0200 |
---|---|---|
committer | Jaime Iniesta <jaimeiniesta@gmail.com> | 2010-07-09 17:53:47 +0200 |
commit | c6f4c5916ef467814d970c70627a82c1df4d2686 (patch) | |
tree | 0e697aea7aef0ca88902d884227c665f6300dfaa /railties/guides/source/security.textile | |
parent | d7ffa3c077e08921ea7897455084fc2942fe0977 (diff) | |
download | rails-c6f4c5916ef467814d970c70627a82c1df4d2686.tar.gz rails-c6f4c5916ef467814d970c70627a82c1df4d2686.tar.bz2 rails-c6f4c5916ef467814d970c70627a82c1df4d2686.zip |
Minor typos: 'built-in' instead of 'built in', 'built into' instead of 'built in to'
Diffstat (limited to 'railties/guides/source/security.textile')
-rw-r--r-- | railties/guides/source/security.textile | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index b45514f66d..60108d5ab3 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -670,7 +670,7 @@ Also, the second query renames some columns with the AS statement so that the we h5(#sql-injection-countermeasures). Countermeasures -Ruby on Rails has a built in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. <em class="highlight">Using +Model.find(id)+ or +Model.find_by_some thing(something)+ automatically applies this countermeasure</em>. But in SQL fragments, especially <em class="highlight">in conditions fragments (+:conditions => "..."+), the +connection.execute()+ or +Model.find_by_sql()+ methods, it has to be applied manually</em>. +Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. <em class="highlight">Using +Model.find(id)+ or +Model.find_by_some thing(something)+ automatically applies this countermeasure</em>. But in SQL fragments, especially <em class="highlight">in conditions fragments (+:conditions => "..."+), the +connection.execute()+ or +Model.find_by_sql()+ methods, it has to be applied manually</em>. Instead of passing a string to the conditions option, you can pass an array to sanitize tainted strings like this: |