in rails, basically attempt to have an object using where:
Customer.where(:name => "abc")
the log file implies that no database bindings are utilized.
WHERE "apps"."name" = 'abc'
If i produce a new object
Customer.create(:name => "abc", :field => 1)
rails uses parameters
INSERT INTO "customers" ("name", "field") VALUES (?, ?)
how do i get rails to make use of database parameter bindings in while well?
The next statement also creates exactly the same where
Customer.where("title = ?", "abc")
In Rails 3.1, prepared claims are utilized, so you will notice queries like:
SELECT * FROM customers WHERE customers.name = ? [["name", "abc"]]
So far as I understand, this works best for Postgres and never MySql.
You need not be worried about SQL injection, regardless. Please discover the protections against SQL injection which are built-directly into Rails: http://guides.rubyonrails.org/security.html#sql-injection