SQL injection from request parameters in manually built SQL in Rails

Critical Risk sql-injection

rubyrailsactiverecordsql-injectionrequest-parameters

What it is

SQL injection vulnerability where request parameters are concatenated into SQL strings or conditions without placeholders or binding, potentially allowing attackers to read or modify sensitive data, escalate privileges, or drop tables, compromising application integrity and confidentiality through attacker-controlled SQL.

Language:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Rails request parameters are directly interpolated into SQL strings using Ruby's string interpolation syntax.

Root causes

Request Parameter String Interpolation

Rails request parameters are directly interpolated into SQL strings using Ruby's string interpolation syntax.

Raw SQL Instead of ActiveRecord Methods

Using raw SQL with string concatenation instead of ActiveRecord's parameterized query methods.

Fixes

Use ActiveRecord Parameterized Queries

Replace string interpolation with ActiveRecord's parameter binding using ? placeholders or hash conditions.

View implementation

User.where('email = ?', params[:email]) or User.where(email: params[:email])

Use ActiveRecord Query Interface

Leverage Rails' built-in query methods that handle parameter binding automatically.

View implementation

User.find_by(email: params[:email]) instead of raw SQL with string interpolation

Validate Request Parameters

Implement strong parameters and validation for all user input before database operations.

View implementation

Use params.require().permit() and custom validations to ensure data integrity

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from request parameters in manually built sql in rails and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

SQL injection from request parameters in manually built SQL in Rails

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Request Parameter String Interpolation

Raw SQL Instead of ActiveRecord Methods

Fixes

Use ActiveRecord Parameterized Queries

Use ActiveRecord Query Interface

Validate Request Parameters

SQL injection from AWS Lambda event data in Sequel query

SQL injection from event data concatenated into SQL string in AWS Lambda

SQL Injection

Detect This Vulnerability in Your Code

SQL injection from request parameters in manually built SQL in Rails

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Request Parameter String Interpolation

Raw SQL Instead of ActiveRecord Methods

Fixes

Use ActiveRecord Parameterized Queries

Use ActiveRecord Query Interface

Validate Request Parameters

Related Vulnerabilities

SQL injection from AWS Lambda event data in Sequel query

SQL injection from event data concatenated into SQL string in AWS Lambda

SQL Injection

Detect This Vulnerability in Your Code