On Dec 3, 2004, at 16:21, Bruno Mattarollo wrote: > I am not really well versed in AR or Rails (nor the database adapters > in Ruby) but using "bind variables" is usually the way to avoid SQL > injection. Indeed - that's exactly what I'm recommending. Cheers Dave