这code 是从SQL注入攻击安全。逃逸是通过ActiveRecord的完成，因此任何时候你调用一个模型的查找，创建，新 / 保存，或者，做数据库交互的任何其他方法，你真行。如果你使用原始的SQL的选项之一，唯一的例外是，例如：

That code is safe from SQL injection attacks. The escaping is done by ActiveRecord, so any time you call a model's find, create, new/save, or any other method that does database interaction, you're OK. The only exception is if you use raw SQL for one of the options, for example:

Comment.find(:all, :conditions => "user_id = #{params[:user_id]}")

在preferred格式为：

the preferred form is:

Comment.find(:all, :conditions => {:user_id => params[:user_id]})

将被自动保护，防止SQL注入攻击。

which will be automatically protected against SQL injection.