Critical SeverityA03:2021 - InjectionCWE-89

How to Fix SQL Injection in Ruby on Rails

Learn how to prevent and fix SQL Injection vulnerabilities in Ruby on Rails applications. Step-by-step guide with code examples, security checklists, and best practices.

What Is SQL Injection?

SQL Injection is a code injection technique that exploits security vulnerabilities in an application's database layer. It occurs when user-supplied data is included in SQL queries without proper sanitization, allowing an attacker to manipulate the query's logic. An attacker can craft input that changes the intended SQL command, gaining unauthorized access to data.

The attack works by inserting (or "injecting") SQL fragments into input fields, URL parameters, cookies, or HTTP headers that are then incorporated into database queries. For example, a login form vulnerable to SQL injection might allow an attacker to bypass authentication by entering `' OR '1'='1` as a password. More sophisticated attacks can use UNION-based injection to extract data from other tables, blind injection to infer data one bit at a time, or stacked queries to execute arbitrary SQL commands.

While ORMs and query builders have reduced the prevalence of SQL injection, it remains common in applications that use raw queries, dynamic query construction, or improperly configured ORMs. Stored procedures are not immune either if they construct dynamic SQL internally.

Why It Matters

SQL Injection consistently ranks among the most dangerous web vulnerabilities because of its severe impact. A successful attack can lead to complete database compromise, allowing attackers to read all data including credentials, personal information, and financial records. Attackers can modify or delete data, causing data integrity issues and potential business disruption. In some database configurations, SQL injection can be escalated to operating system command execution, leading to full server compromise. The 2017 Equifax breach, which exposed 147 million records, was caused by a related injection vulnerability. For applications subject to regulations like GDPR or HIPAA, a SQL injection breach can result in millions of dollars in fines.

How to Fix It in Ruby on Rails

The most effective defense against SQL injection is using parameterized queries (also called prepared statements) for all database interactions. Never concatenate user input directly into SQL strings. Use your ORM's built-in query methods rather than raw SQL wherever possible. If raw queries are necessary, always use parameterized placeholders. Implement input validation using strict allowlists for expected data types and formats. Apply the principle of least privilege to database accounts -- the application should connect with minimal necessary permissions. Use a Web Application Firewall (WAF) as an additional layer. Regularly audit your codebase for raw query construction patterns.

Ruby on Rails-Specific Advice

Rails auto-escapes HTML in ERB templates by default. Never use `raw()` or `html_safe` with unsanitized user content.
Use ActiveRecord query interface with parameterized conditions. Never use string interpolation in `where()` clauses.
Keep Rails' built-in CSRF protection enabled. Use `protect_from_forgery with: :exception` in ApplicationController.
Use Strong Parameters (`params.require(:model).permit(:field)`) to prevent mass assignment vulnerabilities.

Code Examples

Vulnerable: String interpolation in where clause

# DANGEROUS -- SQL injection
def show
  user = User.where("id = '#{params[:id]}'").first
  render json: user
end

Secure: ActiveRecord parameterized queries

# Option 1: ActiveRecord find (always safe)
def show
  user = User.find(params[:id])
  render json: user
end

# Option 2: Parameterized where clause
def show
  user = User.where(id: params[:id]).first
  render json: user
end

# Option 3: Placeholder syntax
def show
  user = User.where("id = ?", params[:id]).first
  render json: user
end

Ruby on Rails Security Checklist for SQL Injection

Replace all raw SQL string concatenation with parameterized queries or ORM methods

Audit every database query in your Ruby on Rails codebase for user input handling

Use an ORM or query builder as the default for all database operations

Apply the principle of least privilege to database connection credentials

Implement input validation (type, length, format) before data reaches the database layer

Enable database query logging in development to review generated SQL

Run SafeVibe's SQL injection scan on your Ruby on Rails application

Ruby on Rails Security Best Practices

Rails auto-escapes HTML in ERB templates by default. Never use `raw()` or `html_safe` with unsanitized user content.

Use ActiveRecord query interface with parameterized conditions. Never use string interpolation in `where()` clauses.

Keep Rails' built-in CSRF protection enabled. Use `protect_from_forgery with: :exception` in ApplicationController.

Use Strong Parameters (`params.require(:model).permit(:field)`) to prevent mass assignment vulnerabilities.

Configure `force_ssl` in production to enforce HTTPS. Set `config.force_ssl = true` in `production.rb`.

Use `has_secure_password` with bcrypt for password handling. Never implement custom password hashing.

Use `rack-attack` gem for rate limiting and throttling. Block suspicious IPs and limit authentication attempts.

Keep `secret_key_base` secret and never commit it to version control. Use Rails credentials or environment variables.

Scan Your Ruby on Rails App with SafeVibe

Stop guessing if your Ruby on Rails app is vulnerable to SQL Injection. Run an automated penetration test in minutes and get actionable results.

Start Free Scan

Related Guides

SQL Injection in Other Frameworks

Express FastAPI Django Laravel

View all SQL Injection guides

More Ruby on Rails Security Guides

Cross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Insecure Direct Object References (IDOR)Broken Authentication

View all Ruby on Rails guides