Protecting your application against malicious users is one of your key responsibilites as a developer. The built-in security provided by a well-maintained framework, such as Rails, is an excellent reason to use one.
This is particularly true of the protection afforded within Active Record for sanitizing user input before it is written to your database. However there are ways to pass strings directly to Active Record scopes when you need to, but that power should be used very sparingly and carefully.
Instead of…
…using strings in any arguments sent to Active Record:
User.delete_by("id = #{params[:id]}")
User.where("email = #{params[:email]}")
Use…
…hash-based variants of the same…