Hacker News new | comments | show | ask | jobs | submit login

Yeah, I understand your point.

I have never ever used #{} in my code. When I first learned Rails, I know this should be avoided at all cost.

I would prefer

"String 1: " + string1

rather than

"String 1: #{string1}"

Those two examples are _exactly_ the same; it's clear you don't understand the actual problem.

With SQL, you must never, EVER mix untrusted data (ie, data from a user) with your trusted code (ie, SQL statements). The same applies to HTML - never, EVER mix untrusted data with trusted code (ie, HTML tags). If you want to mix the two, you must either:

a) first take steps to make your untrusted data trustworthy - for HTML, use an appropriate HTML scrubbing library to remove dangerous tags (or simply escape every & or <). For SQL, you'd have to escape all metacharacters - but I wouldn't recommend doing this for SQL, see below b) Find a way to transfer the data separately. All modern SQL libraries allow you to specify named variables in your SQL code, then fill in the variables separately. With this, the SQL library takes care of separating the untrusted data and trusted code.

The mechanism used to combine code and data is not the problem - + and #{} are equally harmful if used improperly, and equally harmless if properly escaped .

Sorry for the confusion. I realized that I gave the wrong example.

I should use

["created_at <= ?", @time]

rather than

"created_at <= #{@time}"

This is what I meant actually...

> Yeah, I understand your point.

No, you don't...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact