---
title: Avoid SQL injection with parameterized queries
impact: CRITICAL
impactDescription: Prevent SQL injection vulnerabilities.
tags: ruby, rails, security, sql-injection, active-record
---

## Avoid SQL injection with parameterized queries

Prevent SQL injection vulnerabilities. Never use string interpolation in SQL queries. Use parameterized queries with `?` or named placeholders (`:name`). Use hash conditions for `where` clauses instead of SQL fragments.

**Incorrect (Vulnerable):**

```ruby
# Direct interpolation is dangerous
User.where("name = '#{params[:name]}'")
```

**Correct (Safe):**

```ruby
# Parameterized
User.where("name = ?", params[:name])

# Hash-based (Recommended)
User.where(name: params[:name])
```

**Tools:** Brakeman, RuboCop (`Rails/SquishedSQLHeredocs`)