---
title: Use Parameterized Queries
impact: CRITICAL
impactDescription: prevents SQL Injection attacks
tags: security, sql-injection, database, rails-active-record
---

## Use Parameterized Queries

Never build SQL queries using string interpolation of user-supplied data. Use ActiveRecord's built-in parameterization or sanitization methods.

**Incorrect (SQL Injection vulnerability):**

```ruby
User.where("name = '#{params[:name]}'")
# Attacker name: ' OR '1'='1
```

**Correct (parameterized queries):**

```ruby
# Using Hash syntax (auto-parameterized)
User.where(name: params[:name])

# Using Array placeholders
User.where("name = ?", params[:name])

# Using Named placeholders
User.where("name = :name", name: params[:name])
```

**Tools:** Brakeman, RuboCop (`Rails/WhereNotWithInterpolation`)
---