All of ActiveRecord's query-building methods, like where
, group
, order
, and so on, are safe against SQL injection AS LONG AS you do not pass them raw SQL strings. This is vulnerable to SQL injection:
Model.where("event_id = #{params[:id]}")
When you pass a string to a query-building method like that, the string will be inserted directly into the generated SQL query. This is useful sometimes, but it does raise the danger of an injection vulnerability. On the other hand, when you pass a hash of values, like this:
Model.where(event_id: params[:id])
...then AR automatically quotes the values for you, protecting you against SQL injection.