Brakeman is reporting Unescaped parameter value when using find with parameterized queries (? or named placeholders).
Country.find(:all, :conditions => [ "LOWER(name) = ?", params[:name].mb_chars.downcase ]) params[:name] = "Robert" Generated SQL: SELECT * FROM countries WHERE (LOWER(name) = 'robert'); params[:name] = "Robert');DELETE * FROM countries;" Generated SQL: SELECT * FROM countries WHERE (LOWER(name) = 'robert'');DELETE * FROM countries;'); As ActiveRecord sanitizes the parameters in a parameterized query, is there any harm that could still be done with params being unescaped on the find above or is it a False Positive? Thanks! Ronie