SQL built with string interpolation (Ruby)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An ActiveRecord where/find_by_sql/execute call interpolates a value with #{...} inside a SQL string instead of using a placeholder or hash conditions.
Why it matters
Interpolating #{value} into a where/find_by_sql/execute string builds the query from text, which is SQL injection. ActiveRecord supports placeholders and hash conditions that bind values safely. It is a heuristic because interpolating a trusted constant would also match.
How to fix it
Use bound conditions: where("id = ?", id) or where(id: id) with a hash, and pass values as arguments instead of interpolating them. For raw SQL, use sanitize_sql_array or the array/hash forms rather than #{}.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo