[Rails] rails named scopes and sql injection

HI guys,

I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks:

scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", name.downcase) }

I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation to SQL, but does anybody know exactly what happens behind the curtains?

all the best,

Andre

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/sUZMdFuzGT0J.
For more options, visit https://groups.google.com/groups/opt_out.