<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body style="background-color: rgb(255, 255, 255); color: rgb(0, 0,
0);" bgcolor="#FFFFFF" text="#000000">
Brakeman is reporting Unescaped parameter value when using find with
parameterized queries (? or named placeholders).<br>
<br>
Country.find(:all, :conditions => [ "LOWER(name) = ?",
params[:name].mb_chars.downcase ])<br>
<br>
params[:name] = "Robert"<br>
Generated SQL:<br>
SELECT * FROM countries WHERE (LOWER(name) = 'robert');<br>
<br>
params[:name] = "Robert');DELETE * FROM countries;"<br>
Generated SQL:<br>
SELECT * FROM countries WHERE (LOWER(name) =
'robert'');DELETE * FROM countries;');<br>
<br>
<br>
As ActiveRecord sanitizes the parameters in a parameterized query,
is there any harm that could still be done with params being
unescaped on the find above or is it a False Positive?<br>
<br>
Thanks!<br>
<div class="moz-signature"><span style="color: black;">Ronie<br>
</span></div>
</body>
</html>
