Thanks for that pointer. I noticed that Phusion blog post shows classic SQL injection where two statements are created from one:
User.find_by_name("kotori'; DROP TABLE USERS; --")
# => SELECT * FROM users WHERE name = 'kotori\'; DROP TABLE USERS; --' LIMIT 1
For those using MySQL, notice that it isn't vulnerable to that style because
CLIENT_MULTI_STATEMENTS is disallowed by default; this is a rare case where MySQL is more secure than other database engines. A MySQL injection into a SELECT cannot make any database changes. At worst it could a) reveal secret information (anyone keep passwords in cleartext columns?) or b) overload the database and facilitate a Denial of Service attack.
Speaking of that, if you're using MySQL, make sure to set
traditional mode. Non-traditional mode was a bad idea. Making it the default was even worse!
-Colin