Hi Ronie, Are you sure this is the code generating the warning? I cannot reproduce the warning. Brakeman should definitely not be warning about this.
-Justin On 2015-03-13 16:55, Ronie Henrich wrote: > Brakeman is reporting Unescaped parameter value when using find with > parameterized queries (? or named placeholders). > > Country.find(:all, :conditions => [ "LOWER(name) = ?", > params[:name].mb_chars.downcase ]) > > params[:name] = "Robert" > Generated SQL: > SELECT * FROM countries WHERE (LOWER(name) = 'robert'); > > params[:name] = "Robert');DELETE * FROM countries;" > Generated SQL: > SELECT * FROM countries WHERE (LOWER(name) = > 'robert'');DELETE * FROM countries;'); > > > As ActiveRecord sanitizes the parameters in a parameterized query, is > there any harm that could still be done with params being unescaped on > the find above or is it a False Positive? > > Thanks! > Ronie
