Hey,
we use Brakeman and first of all are really happy with it.
But I got a question. Brakeman warns about sql injection in
on some code where I would not have suspected it.
Afaik arel_table is considered to be sql santizied. So I got code
like this:
ar_table = Posts.arel_table
@posts = Post.where(ar_table[:itype].eq("SpecialPost"))
and Brakeman warns. I guess because I don't have hash as parameter
for where but arel_table.
Can I ignore the warning, or do I misunderstand the concept of
arel_table?
-kmerz
--
Konrad Merz
genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
