There are times when SQL injection is the most shocking attacks on the internet. SQL injection means a condition where user is molding a SQL query in a unexpected form.If the queries are not handled properly it can lead to results like leaking of data to cracking of a database access. This particular topic is a topic which is very well understood by most of the developers and the good thing to avoid is that rails already makes it very simple to avoid it.but you should be really careful in handling that, if not you will remove all of that safety.let me give you an example:

Ex: Lets say you have a page which is giving salary account details by search a user can type /salaryDetails?name=mohan it will give all the salary account details which is starting from "mohan".the query would be like:

SELECT * FROM "salary_details" WHERE name LIKE '%mohan%'.

Never use queries like

query = "SELECT * FROM salary_details WHERE name = '#{name}' AND password = '#{password'} LIMIT 1"

Use query like this:

User.where(:name => name, :password => :password).first

Rails applications interact with a database through ActiveRecord, through Object Relational Mapping (ORM) layer which comes by default with Rails. ORMs is safer. ORM maps database tables to classes.If a database has a table called users, than our application will have a class named User. Rows of the table correspond to objects of the class.