On Friday 30 May 2008 12:30:59 Todd Benson wrote:
> On Fri, May 30, 2008 at 1:04 AM, KUBO Takehiro <kubo / jiubao.org> wrote:

> How can you not still do insecure injection with this?

Well, if you use single quotes for your SQL string, you can't because either 
the SQL library will quote the other arguments properly, or they'll be sent 
to the database via some other mechanism than inclusion in the string.

As another example: There's nothing inherently insecure about:

eval('lambda { |x| do_something_with(x) }').call(random_user_input)

There is, however, something very insecure about:

eval("do_something_with('#{random_user_input}')")

The single easiest way to avoid SQL injection is to always include input as 
positional arguments, never directly in a string.