Hi Justin, Sorry, I forgot to mention the following:
In the controller I have: @country = Country.find(:all, :conditions => [ "LOWER(name) = ?", params[:name].mb_chars.downcase ]) And in the view I have <%= @country.name %> The warning goes away if I trick Brakeman with this in the controller: params[:name].tap do |name| Country.find(:all, :conditions => [ "LOWER(name) = ?", name.mb_chars.downcase ]) end Thanks! Ronie On 3/13/2015 5:01 PM, Justin wrote: > Hi Ronie, > > Are you sure this is the code generating the warning? I cannot reproduce > the warning. Brakeman should definitely not be warning about this. > > -Justin > > On 2015-03-13 16:55, Ronie Henrich wrote: >> Brakeman is reporting Unescaped parameter value when using find with >> parameterized queries (? or named placeholders). >> >> Country.find(:all, :conditions => [ "LOWER(name) = ?", >> params[:name].mb_chars.downcase ]) >> >> params[:name] = "Robert" >> Generated SQL: >> SELECT * FROM countries WHERE (LOWER(name) = 'robert'); >> >> params[:name] = "Robert');DELETE * FROM countries;" >> Generated SQL: >> SELECT * FROM countries WHERE (LOWER(name) = >> 'robert'');DELETE * FROM countries;'); >> >> >> As ActiveRecord sanitizes the parameters in a parameterized query, is >> there any harm that could still be done with params being unescaped on >> the find above or is it a False Positive? >> >> Thanks! >> Ronie