When I make a query...
is there any meaningful difference between using a find_by helper or not?
Are there any reasons I'm overlooking for opting for shorter lines of code when doing things like this?
Booking.find_all_by_user_id(1, :joins => :confirmation)
Booking.find(:all, :joins => :confirmation, :conditions => [ 'bookings.user_id = ?', 1] )
No, regarding injection attacks.
The find_by method should be safe. However the only killer mistake is to use user input directly inside your conditions param when using find method, like doing:
Booking.find(:all, :joins => :confirmation, :conditions => [ 'bookings.user_id = #{params[user_id]]}'] )
Of course the right one is the way you did it and find method will filter things up.
Booking.find(:all, :joins => :confirmation, :conditions => [ 'bookings.user_id = ?', params[user_id]] )
What you're looking for is in here:
http://guides.rubyonrails.org/security.html#sql-injection
AND
http://guides.rubyonrails.org/security.html#mass-assignment
Be sure to read both carefully.