I have this line of code inside of my controller. user = User.find_by_email(params[:email]) Should

Question

0

Asked: June 15, 20262026-06-15T15:19:15+00:00 2026-06-15T15:19:15+00:00

I have this line of code inside of my controller. user = User.find_by_email(params[:email]) Should

0

I have this line of code inside of my controller.

user = User.find_by_email(params[:email])

Should I have to worry about SQL injection with this line of code? Most of the examples I’ve seen for sql injection involve conditionals. I would assume this is a yes but want some outside input.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-15T15:19:16+00:00

You should only have to worry about this in SQL fragment methods like where(), connection.execute() or find_by_sql(), although if you want to be sure you can use a method like sanitize_sql(). I would recommend reading through this, most notably section 8 for your case.

Update:
For example

User.find_by_email("'' OR 1--")

would evaluate to

SELECT "users".* FROM "users" WHERE "users"."email" = $1 LIMIT 1  [["email", "'' OR 1--"]]

which would be sanitized.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have this line of code inside of my controller. user = User.find_by_email(params[:email]) Should

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply