rails is Model.new safe from sql injection?

Does ModelName.new protect against sql injection?

Examp开发者_JS百科le:

@user = User.new(params[:user])

@user.save

I've read the rails security docs and didn't see anything about inserts via Model.new.

Thanks!

---

Model.new has nothing to do with SQL injection as it is not the method that writes to the database .
It is the Model.save that actually writes to the database and takes care of SQL injection .

---

yes it protect against sql injection and is safe as params[:user] is HASH

you can check it with follwing example i assumr you get some invalid values in params[:user][:name]

  @user= User.new(params[:user])

  @user.save

AND

  @user= User.new()
  @user.name=params[:user][:name]  #your application may crash here or this is not sql injection safe
  @user.save

To avoid this you can use hash

  @user= User.new({:name=>params[:user][:name]})
  @user.save

After reading this i came to conlcusion neither .new & .save are safe from sql injection

Edited 

The mass-assignment feature may become a problem, as it allows an attacker to set any model’s attributes by manipulating the hash passed to a model’s new() method:

PLEASE READ 6 Mass Assignment for it's Problems and 6.1 Countermeasures for solution