active_record_query_interface

🚫 Prevent SQL Injection with Query Interface

Avoid string interpolation in queries. Always use ActiveRecord’s parameter binding or named placeholders to automatically escape inputs.

# Bad (vulnerable):
User.where("email = '#{params[:email]}'")

# Good:
User.where(email: params[:email])
# or with placeholders:
User.where("email = :email", email: params[:email])